Recognize-Security

Posted by Trancer on Jul 30 2009

The hacking group ZF0 (Zero For 0wned) released the 5th edition of their eZine / hacklog.
You can download it here – zf05.txt

In this issue they owned quite a few hacking and information security websites:
mitnicksecurity.com (Kevin Mitnick)
0×000000.com (Ronald van den Heetkamp)
doxpara.com (Dan Kaminsky)
perlmonks.org (Perl Monks)
elitehackers.com/info (EliteHackers)
binrev.com (Binary revolution)
invisiblethingslab.com (Joanna Rutkowska)
and more…

Also in this issue, ZF0 version of the Pwnie awards, which is quite funny. Congratulation to xorl, one of my favorite security blogs for winning the best blog category, read his speech on Full-Disclosure.

I’d like to clarify that I don’t support this group or their actions what so ever, they got really nasty is this one. But still, I recommend you read it.

Categories: LOLz

4 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jul 28 2009

Here’s a new Metaspoit exploit module I wrote for the AwingSoft Web3D Player SceneURL() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.0 (WindsPly.ocx v3.5.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to ‘SceneURL()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by shinnai and was published recently on milw0rm and shinnai web site.

Download awingsoft_web3d_bof.rb.
Also on Metasploit.

References:
OSVDB 60017

Enjoy.

Categories: Exploits, Metasploit

0 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jul 16 2009

Fyodor of Insecure.org have announced today of a new version of Nmap Security Scanner – Nmap 5.00.
The new version offers a lot of new features and performance improvements and the guys from Insecure.org consider this the most important Nmap release since 1997.

You can read the announcement on Nmap web site and grab a copy in the download page.

Categories: Tools

2 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jul 06 2009

The CSIS Security Group found (credit correction – see the update below) a 0day exploit in-the-wild that exploit a vulnerability within Microsoft DirectShow (msvidctl.dll) in the way it handles MPEG-2 files.
The exploit found is used to preform drive-by attacks via compromised Chinese web sites.
Original exploit (as it is in-the-wild) can be found here (shellcode changed to execute calc.exe) – aa.rar.
You can read the translated post here or read this post from ISC diary.

Here’s a Metasploit exploit module I wrote that exploit this vulnerability.
Tested successfully on the following platforms (fully patched 06/07/09):
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3

Download msvidctl_mpeg2.rb.
Also on Metasploit.

Also, if you want to test this vulnerability manually, here’s a little Ruby script I wrote that build GIF files to trigger the vulnerability:
Download msvidctl_gif.rb.

This is the second exploit found in-the-wild in the past month that exploit a vulnerability in Microsoft DirectShow. In June, an exploit was found in-the-wild that exploit a vulnerability in DirectShow QuickTime Movie Parser Filter (quartz.dll). Liam O Murchu of Symantec wrote an analysis for this exploit here:
DirectShow Exploit In the Wild
DirectShow Exploit In the Wild, Part II

This post will update with additional updates about this vulnerability.

Updates:

>> It seems that CSIS Security Group wasn’t the first to discover this exploit in-the-wild, KingSoft from China was the first to spot this exploit – KingSoft blog (translated).
Thank to Carsten Eiram for pointing it out.

>> References:
CVE-2008-0015
OSVDB 55651
BID 35558
Microsoft Security Advisory (972890)
SA35683

>> Blog posts and news:
Microsoft Security Research & Defense blog
ZDNet Zero Day blog
Symantec Connect blog

>> SANS ISC Handler’s Diary have posted a blog post that will update frequently with list of domains that is actively exploiting this vulnerability. Note that the vast majority of the domains is up for only a short period of time – IE 0day exploit domains (updating).

>> As the CVE number implies (early 2008), it turns out that Microsoft was aware of this vulnerability for a long time. In the security advisory, Microsoft thanks Ryan Smith and Alex Wheeler of Hustle Labs of ISS X-Force for initially reporting this vulnerability. Well, I guess that’s what happens when you wait too long to patch a vulnerability, eventually someone else will discover it and wont chose the path of responsible disclosure.

>> Guido Landi details the vulnerability in his blog – PornoSecurity.

>> In their security advisory, Microsoft recommends setting the kill bit for 44 classid’s. With some of them it is possible to reproduce the bug. Check out I)ruid’s update for the Metasploit exploit.

>> Microsoft Video ActiveX control 0day technical details blog post by TippingPoint DVLabs.

>> Interesting post regarding this vulnerability by Halvar Flake – Poking around MSVIDCTL.DLL.

>> Microsoft fix the msvidctl.dll memory corruption vulnerability in MS09-032. The “patch” does NOT fix the vulnerability, only setting a kill bit to all the vulnerable Video ActiveX controls.

>> Microsoft fix the source of the msvidctl.dll memory corruption vulnerability in MS09-037.

Categories: Exploits, Metasploit

4 Comments | Comments RSS | TrackBack URL

---