Recognize-Security

Posted by Trancer on Jun 16 2009

As of June 1st, the Chinese government demands every personal computer in China to install or be sold with Green Dam Youth Escort Censorware program. Three security researchers – Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan have released an analysis of the Green Dam Censorware system, disclosing multiple vulnerabilities and weaknesses in it. You can read the whole story in the ZDNet Zero Day blog.
The vendor, Jinhui Computer System Engineering Ltd., already patched the vulnerabilities but you can still find vulnerable installations with Google if you want to test it.

One of the vulnerabilities disclosed in the security analysis is a remotely exploitable stack-based buffer overflow vulnerability in the way Green Dam process overly long URLs (OSVDB 55126). seer[N.N.U] posted a simple exploit for this vulnerability on milw0rm.
And here, I wrote a Metasploit exploit module for Internet Explorer which exploits this stack-based buffer overflow vulnerability in Green Dam 3.17. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.
I’ve tested this exploit successfully on the following platforms:
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3
– Internet Explorer 7, Windows Vista SP1

Download greendam_url.rb.
Also on Metasploit and milw0rm.

References:
OSVDB 55126

According to the latest Microsoft Security Intelligence Report, China is the world leading country in Malware distribution so I guess they deserve some pwning :P

Categories: Exploits, Metasploit

9 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jun 11 2009

Phrack magazine is out with a fresh issue. You can grab a copy on Phrack site.

Categories: Security News

0 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jun 03 2009

Here’s a new shiny mixin I wrote for the Metasploit framework – the Java Compilation mixin.
The purpose of this mixin is to bring the power of Metasploit and use it for writing and compiling Java code on-the-fly.
The mixin main usage is to write, compile and embed Java code (Java applets) in HTML pages, mainly for writing exploit and auxiliary modules that exploit vulnerabilities in the JRE\JVM.
The Java compilation mixin can also be used for creating fuzzers and other testing tools for the JRE\JVM.

Code:
javacompile.rb.

Installation:
Place the mixin in the following path:
\msf3\lib\msf\core\exploit

Include the mixin in \msf3\lib\msf\core\exploit.rb file:
# JavaCompile
require 'msf/core/exploit/javacompile'

Using the mixin in exploit and auxiliary modules:
include Msf::Exploit::JAVACOMPILE

The mixin requires JDK to be installed, get it from Sun.

Usage:
OUTPUTPATH – defines the path of the working directory (where the files will be created).

java_compile(filename,data) function is used to compile Java code. filename variable sets the file and public class name and data variable defines the Java code.

java_clean(filename) function is used to clean the working directory. filename variable sets the file name to delete (both .java and .class files) from the working directory.

Demonstration:
The following “exploit” module demonstrate the Java compilation mixin by calling a simple Java applet (displaying “Hello World”) from an HTML page:
java_hello.rb (See comments in the code).

This mixin is still in an early stage and will be modified and improved in time, any kind of feedback and suggestions are welcome.
Cool exploits soon to follow :-)

Categories: Metasploit

6 Comments | Comments RSS | TrackBack URL

---