'exploit'에 해당되는 글 17건

  1. 2011.07.06 POC of Vsftpd backdoor discovered (1)
  2. 2011.06.22 Metasploit Framework 3.7.2 Released
  3. 2011.02.21 More about the JailbreakMe PDF exploit
2011.07.06 20:02

POC of Vsftpd backdoor discovered

vsftpd version of 2.3.4 downloadable source code was compromised and a backdoor added to the code. Evans, the author of vsftpd . This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was present in the vsftpd-2.3.4.tar.gz archive sometime before July 3rd 2011.

The bad tarball included a backdoor in the code which would respond to a user logging in with a user name by listening on port 6200 for a connection and launching a shell when someone connects.

If you have upgarded your VSFTPD check it out.

Affected versions :

  • vsftpd-2.3.4 from 2011-06-30

Metasploit demo :

  • use exploit/unix/ftp/vsftpd_234_backdoor
  • set RHOST localhost
  • set PAYLOAD cmd/unix/interact
  • exploit
  • id
  • uname -a 

출처 : PenTestIT

Trackback 0 Comment 1
  1. 0000 2012.09.20 23:25 address edit & del reply

    뭐..어떻게침투하는건가요.?
    그냥 백도어있으면 그걸찾아서들어가는건가요
    아니면 리버스쉘처럼 Vsftpd취약한버전을사용하면그냥뚫리는건가요?

2011.06.22 19:23

Metasploit Framework 3.7.2 Released


“The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.“

This is the official change log:
Statistics:

  • Metasploit now ships with 698 exploit modules, 358 auxiliary modules, and 54 post modules.
  • 11 new exploits, 1 new auxiliary module, and 15 new post modules have been added since the last release.

New Exploit Modules since 3.7.1:

  • MS11-050 IE mshtml!CObjectElement Use After Free
  • AWStats Totals =< v1.14 multisort Remote Command Execution
  • IBM Tivoli Endpoint Manager POST Query Buffer Overflow
  • Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute
  • Magix Musik Maker 16 .mmm Stack Buffer Overflow
  • VisiWave VWR File Parsing Vulnerability
  • GoldenFTP PASS Stack Buffer Overflow
  • DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
  • 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow
  • 7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
  • 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow

Notable Features & Closed Bugs:

  • Cachedump merged (#505, #310)
  • Remote Registry commands for Meterpreter (#1894)
  • Create a ROP gadget search tool (#4044)
  • Update Nmap XML parsers to support Nokogiri parsing (#4578)
  • db_import failing with ip360 XML imports (nCircle imports) (#4619)
  • packetfu library – HSRP code (#4430)
  • PCAPRUB support on Windows XP also in Debian 5.0.8 and Ubuntu 10.10 (#4558 / #4554)
  • Egghunter now disables DEP (#4375)
  • Sign the java_signed_applet with OpenSSL instead of RJB. (#3440)
  • Add 64 bit linux shellcode (#4451)
  • Regression in Meterpreter pivoting fixed (#4642)
  • New tools Script – module_rank.rb (#4334)
  • Enhancements to SMTP User Enumeration Utility (aux/scanner/smtp/smtp_enum) (#4031) 


출처 : www.pentestit.com

Trackback 1 Comment 0
2011.02.21 19:40

More about the JailbreakMe PDF exploit

Today has been released the source code of the Jailbreakme exploit, so maybe this explanation comes a bit late. In the update of the previous post about this subject I knew that I was right about the overflow in the arguments stack when parsing the charstrings in the Type 2 format, so here is a little more info.

After decoding the stream of the object 13 we can see the following bytes (talking about this file):

The selected bytes are the important ones for this exploit because the overflow occurs when parsing them. Like I mentioned, the Type 2 format is composed of operands, operators and numbers, and use the stack to push and pop values. This stack has a maximum size of 48 elements. We can understand better the meaning of these bytes with this tips:

 

  • The 0xFF byte means that the next 4 bytes are interpreted as a 32-bit two’s-complement number that will be pushed into the stack.
  • 0x0C17 is the random operator that returns a pseudo random number greater than zero and less than or equal to one. This operator doesn't take any argument from the stack.
  • The operator 0x0C04 is an or that takes two arguments from the stack and puts a 0 is both arguments are zero and a 1 otherwise.
  • 0x0C0D is the index operator, which takes an argument num from the stack and puts the argument in the position num of the stack on the top of it.
  • The drop operator is composed by the bytes 0x0C12 and removes the stack top element.

 

Then, from the stack modification perspective we can separate the bytes in 4 "instructions" set:

 

  • 0xFFXXXXXXXX (45*5 bytes): we put XXXXXXXX into the stack. There is a limit here in the amount of this type of "instruction" because of the stack arguments size, that is checked in this case. So the maximum number that we can push is 45.
  • 0x0C170C170C040C1D (20*8 bytes): it pushes the stack element in position 1 (one position after the top element) into the stack. The position is always 1 because the random elements pushed are always non-zero. So in this case will be 0x00C00000.
  • 0x0C170C1D (170*4 bytes): we push the element in the position specified by the random number into the stack. The random number always has 16 bits and after a 16-bits movement to the right it becomes 0, so the pushed value will be always the top of the stack, 0x00C00000.
  • 0x0C1D0C12 (42*4 bytes): it pushes the stack element in the position C0 into the stack and removes it. The first "instruction" of this type will push F00DF00D (the 4th last number pushed with FF), and the next "instructions" will write into the stack the 41 previous numbers.

 

These "instructions", except the FF one, don't check if the stack is full before pushing values, so after parsing and executing them the stack state will be similar to this image, being 48*4 the maximum size for the stack:

After the last 0x0C12 an FF "instruction" is executed, checking the stack size and returning from the function with an error code. The successful exploitation will depend on the program and the architecture where the PDF file is parsed. As you know, this affects to Apple products (now patched) and to the Foxit Reader. In the case of the latter we can exploit it easily through a SEH overflow, putting the shellcode into the bytes pushed by the FF "instructions". Here we'll have more than 100 bytes for it, depending on the SEH position. Anyway we can jump from here to the rest of the decoded stream and really do what we want.

출처 : http://eternal-todo.com

Trackback 0 Comment 0