Sunday, 11 May 2014

VLC Media Player 2.1.3 - .WAV DoS POC

VLC Media Player (2.1.3 Rincewind) - .WAV DoS Exploit:

!exploitable results:
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at msvcrt!strcspn+0x000000000000002d (Hash=0x0c543936.0x0c29261d)
The data from the faulting address is later used to determine whether or not a branch is taken.
Download Here.

Saturday, 10 May 2014

MPlayer (05/03/2014) - .WAV DoS POC

MPlayer [05/03/2014] (MPlayer-x86_64-r37182+g09725c1) - .WAV DoS Exploit:

!exploitable results:
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data Execution Prevention Violation near NULL starting at Unknown Symbol @ 0x0000000000000008 called from Unknown Symbol @ 0x00000000067f2340 (Hash=0x48484848.0x53535353)
User mode DEP access violations are probably exploitable if near NULL.
Download Here.

Friday, 22 February 2013

Embedthis Appweb 4.2.0-0 - DoS POC

Embedthis Appweb 4.2.0-0 - DoS Exploit:

!exploitable result:
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at libmpr!mprSeekFile+0x000000000000000f (Hash=0x0c566765.0x0c1b6765)
The data from the faulting address is later used to determine whether or not a branch is taken.
Download Here.

Sunday, 13 January 2013

DD-WRT Network Sniffing

My DD-WRT router unfortunately does not have the option to create a TAP/Mirror Port, but using IPTables we can make a copy of all traffic and forward it to a IP:

SSH to your Router, in this case we are going to forward traffic to my IDS on: 192.168.1.200
iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.200 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.200 --tee
To confirm the rules have been created we can run the following command:
iptables -L -t mangle
To remove the rule we run the following command:
iptables -F -t mangle

Thursday, 18 October 2012

VLC Media Player 2.0.3 - .AVI DoS POC

VLC media player (2.0.3 Twoflower) - .AVI DoS Exploit:

!exploitable result:

Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at KERNELBASE!lstrlenW+0x000000000000001a (Hash=0x2e3a5a04.0x79532c61)
The data from the faulting address is later used to determine whether or not a branch is taken. 
Download Here.

Sunday, 7 October 2012

Nitro Pro 8.0.3.1 - .PDF DoS POC

New Nitro Pro 8 (8.0.3.1) PDF Reader - .PDF DoS Exploit:

!exploitable result:

BUG_TITLE:Exploitable - User Mode Write AV starting at npdf!ProvideCoreHFT+0x000000000010886a (Hash=0x265b4f1d.0x020d4f2c)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.
Download Here.

Saturday, 10 March 2012

Android ColorNote, notes recovery

So I decided to upgrade the custom Android ROM on my HTC HD2 (Leo), and totally forgot about some of the important notes I left in the Android app ColorNote.

Fortunately before I upgraded my ROM, I made a backup using Clockwork Recovery Mod and saved it to my PC.

So I put my forensics hat on and got to work:

The backup consisted of the following files:
.android_secure.img
boot.img
cache.img
data.img
nandroid.md5
recovery.img
sd-ext.img
system.img
The IMG files are using the Yet Another Flash File System (YAFFS).
A quick Google and I came across this post on the XDA Devs Forums.
(Download the attachment to the forum thread)
This is a Cygwin ported version of 'unyaffs'.

Next was to work out which IMG file to use... So I cheated and asked Android guru Noobhands who pointed me at the data.img (Thx dude!).

The 'unyaffs' is simple to use:
unyaffs.exe data.img
This extracts the contents of the IMG to the current folder.

Android apps store data in the "data" folder. Having a large number of apps on my Phone, I now had to work out which folder was actually ColorNote.
The easy way todo this is to look at the Apps ID in Google Market:
https://play.google.com/store/apps/details?id=com.socialnmobile.dictapps.notepad.color.note
Sure enough, the folder is there. Within this folder is the folder "databases".
This folder contains the following:
colornote.db
internal.db
internal.db-shm
internal.db-wal
Quickly examining the .DB files with a Hexeditor I confirmed they were SQLite 3 databases.
So I opened the colornote.db with SQLite Browser, switched to the 'Browse Data' tab, and changed the table to "notes" and sure enough all my missing notes were there! woot! :)

Now what's also interesting, all of my old deleted notes are also still stored, along with the 'create', 'modified', and 'minor modified' dates.