This vulnerability was discovered by bellick of the Nine:Situations:Group and the original advisory can be found on the Nine:Situations:Group web site – South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges.
As you can understand from the advisory, local elevation of privileges is possible due to bad (empty actually) security descriptor of the South River Technologies WebDrive service.

This exploit was inspired by MC’s HP PML Driver HPZ12 privilege escalation exploit.
In this exploit I’ve also added a mitigation option, which will set correct service security descriptor configuration for SRT WebDrive. Note that the vulnerability is still unpatched, exploit tested on the latest version of SRT WebDrive.

The exploit was successfully tested on the following platforms:
– South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.

Download srt_webdrive_priv.rb.
Also on Metasploit and exploit-db.

References:
CVE-2009-4606
OSVDB 59080
BID 37955
exploit-db 9970

This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.

The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False

Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.

Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.

References:
OSVDB 61964
exploit-db 11204

• Exploit writing tutorial part 1 : Stack Based Overflows
• Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
• Exploit writing tutorial part 3 : SEH Based Exploits
• Exploit writing tutorial part 3b : SEH Based Exploits – just another example
• Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
• Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
• Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
• Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc
• Exploit writing tutorial part 8 : Win32 Egg Hunting

Enjoy the reading!

• HTTP Response Splitting vulnerability
• Open Redirection vulnerability

cPanel HTTP Response Splitting Vulnerability – Security Advisory (PDF).
cPanel HTTP Response Splitting Vulnerability – Security Advisory (TXT).

I’d like to point out the lame work of the cPanel Security Team on these vulnerabilities. Usually when I report a vulnerability, I get some kind of interaction with the vendor developers and/or the security team, most of the times I enjoy working with the people involved. In this case, the cPanel Security Team were unresponsive. Eventually I was forced to release the security advisory even though one of the vulnerabilities (the Open Redirection vulnerability) is still unpatched.

References:
BID 37902
OSVDB 61954
exploit-db 11211

This version offers new tools, new kernel and tons of bug fixes. And, BackTrack Linux is no longer a part of remote-exploit.org, it got a new home at backtrack-linux.org.

I used the new version for the last couple of days and find it to be very useful and cool, recommended!
Download BackTrack Linux 4.

Metasploit Unleashed – Mastering the Framework online course will give you a solid knowledge base to start working with the Metasploit Framework, from simple things such as lunching an exploit to post exploitation, Meterpreter scripting and more.

But the greatest thing about this course is its main purpose, which is to promote awareness and raise funds for underprivileged children in East Africa. So if you enjoy the course and find it useful, please make a donation to Hackers For Charity.

The Metasploit Project creator, HD Moore, and one of the developers, Egypt, now got a full time job working on and developing the Metasploit Project. HD in the position of Chief Architect of Metasploit and Egypt as a core developer of Metasploit at Rapid7.

If you read this blog often you probably noticed that I’m a big supporter of the Metasploit Project. I use it on a daily basis, preforming penetration tests and exploit development while at work or at home for fun. As you may guess, my feelings about the acquisition are mixed. On one side this is a good thing, this is a big step for the Metasploit Project. Now it’ll grow and develop faster and rapidly and us, the users, will get a better, faster, more advanced and less buggy program, and I believe we’ll start seeing faster release cycles. But on the other side, now the Metasploit Project which was a free, open source, community driven project, is managed by a commercial company. I think the worst case scenario will be if Rapid7 decide to make Metasploit a commercial product, which will be a sad thing. This won’t be the first time it’ll happen to a good security product. The best example here is the Nessus vulnerability scanner which was acquired by Tenable Network Security back in 2005.

I hope the fate of the Metasploit Project won’t be the same as Nessus. HD Moore stated on the Metasploit blog that the project will remain free and open source. So, if that’s the case and long as the Metasploit Project will stay that way I think the users should be happy about it. I will continue to support the Metasploit Project and develop exploits and other modules for it and contribute in every way I can.
I guess all there’s left to say is congratulations to HD Moore and Egypt for the acquisition, keep on rocking.

References:
>> Metasploit Rising – HD Moore write about the acquisition on the Metasploit blog.
>> Rapid7 Acquires Metasploit – The Metasploit acquisition by Rapid7 CEO.
>> Rapid7 Acquisition FAQ – Questions and answers about the acquisition.
>> Metasploit + Rapid7 shakes up pen-test landscape – Ryan Naraine write about the penetration testing market changes followed by the acquisition.

• SSL & Trasport Layer Security Protocol by cp77fk4r
• Manual Unpacking by Zerith
• Virus Loading Techniques by cp77fk4r
• RFID Hacking by cp77fk4r
• Port Knocking by cp77fk4r
• Kerberos v5 Protocol by cp77fk4r
• DNS Cache Poisoning by cp77fk4r

You can download it here – Digital Whisper issue #2.

Have a great reading.

As stated on Bezeq Int SafeNet page (and details), this service cost 13.90 NIS a month and should be some kind of content filtering system, providing users protection from Malware (viruses, worms, trojan horses, spyware), HTML exploits, malicious Activ-X and JAVA code, Fishing web sites and more (note I deliberately misspelled the definitions, that’s how it’s wrote on the SafeNet service specification page).

Well, after running a series of tests I can surly say Bezeq Int SafeNet service provide non of these protections what so ever. In fact, it doesn’t provide any sort of active protection. The only protection SafeNet service provides is blocking supposedly malicious web sites using an out-of-date domain names blacklist.

For example, trying to access Packet Storm Security web site will result in a redirection to a Bezeq Int domain, displaying this SafeNet message:

Click to enlarge.

The SafeNet service blacklist doesn’t include milw0rm and other hacking related web sites. I even ran test against active Malware serving pages, Phishing web sites and rouge Anti-Virus sites, non of which have been blocked by Bezeq Int SafeNet service.

Furthermore, the SafeNet service domain blacklist function can be bypassed rather easily. It is possible to access blacklisted domains using their IP addresses:

Click to enlarge.

In conclusion, Bezeq Int SafeNat service provide users no affective protection against any kind of threat and Bezeq Int doesn’t provide their customers any of the promised functions stated on the SafeNet service specification.
In my opinion, Bezeq Int SafeNet service is a total rip-off and if you are registered to it I recommend you’d cancel the service immediately.

The vulnerability was found in HTTPDX HTTP/FTP server version 1.4 by Pankaj Kohli and the original exploit can be found on his website – httpdx 1.4 GET Request Remote Buffer Overflow Exploit (0day).

This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The vulnerability is caused due to a boundary error within the “h_handlepeer()” function in http.cpp. By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.

Download httpdx_handlepeer.rb.
Also on Metasploit.

References:
CVE-2009-3711
OSVDB 58714

• Windows Privilege Escalation by cp77fk4r
• Manual Packing by HLL
• Introduction to Artificial Intelligence by UnderWarrior
• Lock Picking by cp77fk4r
• WEP Encryption by Hertzel Levi
• Introduction to Recursion in C by UnderWarrior
• HTTP Attacks – Response Splitting by cp77fk4r

If anyone is willing to contribute, submit an article or give a feedback, contact Digital Whisper crew here – editor[AT]digitalwhisper.co.il