Friday, 22 February 2013

Embedthis Appweb 4.2.0-0 - 0Day DoS POC

New Embedthis Appweb 4.2.0-0 0Day DoS exploit.

!exploit result:
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at libmpr!mprSeekFile+0x000000000000000f (Hash=0x0c566765.0x0c1b6765)
The data from the faulting address is later used to determine whether or not a branch is taken.
Download Here.

Sunday, 13 January 2013

DD-WRT Network Sniffing

My DD-WRT router unfortunately does not have the option to create a TAP/Mirror Port, but using IPTables we can make a copy of all traffic and forward it to a IP:

SSH to your Router, in this case we are going to forward traffic to my IDS on: 192.168.1.200
iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.200 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.200 --tee
To confirm the rules have been created we can run the following command:
iptables -L -t mangle
To remove the rule we run the following command:
iptables -F -t mangle

Thursday, 18 October 2012

VLC 2.0.3 - 0Day DoS POC


New VLC media player (2.0.3 Twoflower) 0Day DoS exploit.

!exploit result:

Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at KERNELBASE!lstrlenW+0x000000000000001a (Hash=0x2e3a5a04.0x79532c61)
The data from the faulting address is later used to determine whether or not a branch is taken. 
Download Here.

Sunday, 7 October 2012

Nitro Pro 8 - 0Day DoS POC

New Nitro Pro 8 (8.0.3.1) PDF Reader 0Day DoS exploit.

!exploit result:

BUG_TITLE:Exploitable - User Mode Write AV starting at npdf!ProvideCoreHFT+0x000000000010886a (Hash=0x265b4f1d.0x020d4f2c)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.
Download Here.

Saturday, 10 March 2012

Android ColorNote, notes recovery

So I decided to upgrade the custom Android ROM on my HTC HD2 (Leo), and totally forgot about some of the important notes I left in the Android app ColorNote.

Fortunately before I upgraded my ROM, I made a backup using Clockwork Recovery Mod and saved it to my PC.

So I put my forensics hat on and got to work:

The backup consisted of the following files:
.android_secure.img
boot.img
cache.img
data.img
nandroid.md5
recovery.img
sd-ext.img
system.img
The IMG files are using the Yet Another Flash File System (YAFFS).
A quick Google and I came across this post on the XDA Devs Forums.
(Download the attachment to the forum thread)
This is a Cygwin ported version of 'unyaffs'.

Next was to work out which IMG file to use... So I cheated and asked Android guru Noobhands who pointed me at the data.img (Thx dude!).

The 'unyaffs' is simple to use:
unyaffs.exe data.img
This extracts the contents of the IMG to the current folder.

Android apps store data in the "data" folder. Having a large number of apps on my Phone, I now had to work out which folder was actually ColorNote.
The easy way todo this is to look at the Apps ID in Google Market:
https://play.google.com/store/apps/details?id=com.socialnmobile.dictapps.notepad.color.note
Sure enough, the folder is there. Within this folder is the folder "databases".
This folder contains the following:
colornote.db
internal.db
internal.db-shm
internal.db-wal
Quickly examining the .DB files with a Hexeditor I confirmed they were SQLite 3 databases.
So I opened the colornote.db with SQLite Browser, switched to the 'Browse Data' tab, and changed the table to "notes" and sure enough all my missing notes were there! woot! :)

Now what's also interesting, all of my old deleted notes are also still stored, along with the 'create', 'modified', and 'minor modified' dates.

Monday, 22 August 2011

WinXP Compiled Help File (CHM) DoS (hh.exe)

Here's a PoC Windows XP 'Compiled Help File' (CHM) DoS which has been sitting on my hard disk for a while, tested working on fully patched WinXP SP3 32bit machine:

Crashing Executable: hh.exe
Version: 5.2.3790.2453

WinDbg result:
(ed8.edc): Stack overflow - code c00000fd (!!! second chance !!!)
eax=00042968 ebx=000af0b0 ecx=00042964 edx=0007ebb0 esi=000af0b0 edi=0007ebe0
eip=65e3d633 esp=0007e95c ebp=0007ebb4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
itss!_chkstk+0x33:
65e3d633 8501 test dword ptr [ecx],eax ds:0023:00042964=00000000
!exploitable result:
Exploitability Classification: UNKNOWN
Recommended Bug Title: Stack Overflow starting at itss!_chkstk+0x0000000000000033 (Hash=0x7c592e02.0x7a176714)
Download PoC Here

Saturday, 27 February 2010

New 'Alien vs Predator' Format String Bugs

Alien vs Predator (Feb 17 patch) is vulnerable to Format String attacks.

Posting the following in Chat (either in game or in the lobby) will crash your game, I am not sure if it will crash other users, I haven't got anybody to test on.

%s%s%s%s%s%s%s%s%s%s
or
%n%n%n%n%n%n%n%n%n%n

Setting your Name to: '%n' will stop you from ever joining a game, you just get an error reporting your unable to connect.
Setting your Name to '%i' will set your Name to random numbers which changes as you play.

I tried contacting Steam/Rebellion/Sega, but so far had no response.