Friday, February 17, 2012

GOM Player '.asx' File Unicode Stack Buffer Overflow Vulnerability[0day] [CVE-2007-0707]

GOM Player is prone to a remote stack-based buffer-overflow vulnerability.The vulnerability is caused due to a boundary error when parsing a URL within playlist files. This can be exploited to cause a stack-based buffer overflow via a specially crafted e.g. PLS or ASX playlist file.



Successful exploitation allows execution of arbitrary code, but requires tricking a user into opening a malicious file.
Failed attacks may cause a denial-of-service condition.

GOM Player 2.1.33.5071 is vulnerable.

It's tested that GOM player version 2.1.39.5101 Release [2012.01.10] is no more vulnerable.

Exploit Code:



Metasploit Module


Saturday, February 11, 2012

Speaking Shell Code (Win32)


Few days back I saw an interesting Facebook status like:

To know whether your computer is male or female follow the instructions below:

1)Open your notepad
2)Type or copy paste: CreateObject(“SAPI.SpVoice”).Speak”I love you”
3)Save as computer_gender.vbs
4)Run the file.

Coool.

I cannot remember who was that person but I am very much thankful to that person.Finally after successful exploitation my target softwares are now not going to open a boring calculator(calc.exe).Now they are going to speak.:) :)




My brand new speaking shellcode for Win32 environment .It has the ability to automatically find the base address of Kernel32.dll and call required Win32 APIs.

Also available @ http://packetstormsecurity.org/files/109702/Win32-Speaking-Shellcode.html

Basically it uses 5 Win32 APIs.They are

CreateFileA,WriteFile,CloseHandle,WinExec and ExitProcess.

From MSDN:
 
HANDLE WINAPI CreateFile(
  __in      LPCTSTR lpFileName,
  __in      DWORD dwDesiredAccess,
  __in      DWORD dwShareMode,
  __in_opt  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  __in      DWORD dwCreationDisposition,
  __in      DWORD dwFlagsAndAttributes,
  __in_opt  HANDLE hTemplateFile
);


BOOL WINAPI WriteFile(
  __in         HANDLE hFile,
  __in         LPCVOID lpBuffer,
  __in         DWORD nNumberOfBytesToWrite,
  __out_opt    LPDWORD lpNumberOfBytesWritten,
  __inout_opt  LPOVERLAPPED lpOverlapped
);


BOOL WINAPI CloseHandle(
  __in  HANDLE hObject
);


UINT WINAPI WinExec(
  __in  LPCSTR lpCmdLine,
  __in  UINT uCmdShow
);

VOID WINAPI ExitProcess(
  __in  UINT uExitCode
);

The assembly looks like :







Enjoy..:0 

Wednesday, February 1, 2012

How I dumped profile pics of first 10000 Facebook users within few hrs.


A clip form the movie "The Social Network"

Hi all,In this article I am going to tell you guys how I have downloaded profile / Cover picture of first ten thousand Facebook users within few hours using a python script of near about 100 lines. Here I have used Facebook graph api and An html comment present in profile page of Facebook(You will get to know more about this later on).



So what is Facebook graph api?

Using Facebook graph api you can retrieve  few profile information of a Facebook user, like profile id ,First Name Last Name,Facebook username ,user’s gender and locale.
To get this information only thing you have to do is access following url.

http://graph.facebook.com/?id=<target profile id>

Just replace the id parameter with your own. One important thing is, the api returns false if the id is not valid. For example if you try to access id=1 the api will return false because that is not a valid facebook id. But if you change the parameter to 4 you can see the api will return above mentioned information of Mark Zuckerberg. Using this graph api I am going to check if the target profile ID is valid or not. You might think why I have used this api. This is true that same thing can be done by accessing http://www.facebook.com/1,2,3 bluh bluh … like this. My answer is ..Light weight of this api. So you don’t have to craft each and every http headers to check for valid profile id.

Another feature of graph is getting like and share counts of any link .Graph api returns the count of how many times a link is shared or liked on Facebook through JSON. You can do it in this way

http://graph.facebook.com/?id=http://www.google.com/




Another thing you can do with Facebook graph api is Block Detection. If a user tries to access any invalid profile (For example http://www.facebook.com/profile.php?id=random_number)the application takes the user to a page like “The page you requested was not found.”If any user is blocked by someone then also the application does the same. Using graph api one user can easily understand if you are blocked by someone or not.

An interesting html comment:

If you look at the source of any profile page of a fb user when you are logged in, then you can find that Facebook returns the actual image location of profile/cover pictures through an html comment.

For example Mark Zukerberg’s Facebook profile is http://www.facebook.com/zuck. We can find the image location of his current cover picture by inspecting it which is

http://a1.sphotos.ak.fbcdn.net/hphotos-ak-ash4/311205_989690200741_4_42618747_1231438675_n.jpg

Looking at the source code of his profile page I have found that the application is disclosing this image path(http://a1.sphotos.ak.fbcdn.net/hphotos-ak-ash4/311205_989690200741_4_42618747_1231438675_n.jpg)through an html comment like :

<!-- <div class="fbTimelineTopSectionBase"><div id="pagelet_above_header_timeline" data-referrer="pagelet_above_header_timeline"></div><div id="above_header_timeline_placeholder"></div><div class="fbTimelineSection mtm fbTimelineTopSection"><div id="fbProfileCover"><div class="cover" style="margin-top: -115px;" data-collapse="115"><a class="coverWrap coverImage" href="http://www.facebook.com/photo.php?fbid=989690200741&amp;set=a.941146602501.2418915.4&amp;type=1" rel="theater" id="fbCoverImageContainer"><img class="photo img" src="http://a1.sphotos.ak.fbcdn.net/hphotos-ak-ash4/311205_989690200741_4_42618747_1231438675_n.jpg" style="top:0px;width:100%;" data-fbid="989690200741" alt="Cover Photo" /> -referrer="pagelet_timeline_nav"></div><div id="pagelet_above_header_not_timeline" data-referrer="pagelet_above_header_not_timeline"></div></div></div><div id="timeline_tab_content"><div id="pagelet_escape_hatch" data-referrer="pagelet_escape_hatch"></div><div id="pagelet_timeline_recent" data-referrer="pagelet_timeline_recent"></div></div> -->





One important thing about this is, The application does not return the html comment line if you are not logged in Facebook.

So using this html comment it’s become much easier to mass download Facebook users profile/cover picture.


My strategy to achieve the target was

1)    Choose any random profile id.
2)    Using graph API verify if the id is valid or not. If the id not valid, server will return “false”. If the ID is valid the server will return some information like name profile id, gender location etc.


3)    If the id valid I will send an http request to facebook.com with all necessary http headers. 
For example : http://www.facebook.com/4

Now Then the server will redirect us to the actual profile location. Now From location http header in server response I will get the actual profile location.


4)    Now I will craft another http request with a valid session cookie and other mandatory http headers and request the profile page of the target user. Then the server will return client side codes of that user's profile page.

5)    After grabbing the client side code, As the Facebook application returns the actual image location of profile picture or cover picture through an html comment the image url can be easily extracted from the page using simple regular expression.
 

6)    After getting the Image url its very easy to download the picture. 

I have written this python script to automate the above mention process





Abusing graph api may not be a very big deal but I have informed Facebook about this html comment present in profile page and shared this exploit code with them. According to them cover / profile pictures must be public and so that html comment line does not have any direct impact on Facebook application. But interestingly after getting reply mail form them, the above mentioned script stopped working like before. Most probably they have implemented any anti automation techniques or something smiler to that to prevent this.

Video: