tag:blogger.com,1999:blog-38014853245563813262011-12-02T01:07:24.290-08:00shinnainoreply@blogger.comBlogger351100tag:blogger.com,1999:blog-3801485324556381326.post-81489736599928587732007-05-30T16:07:00.000-07:002007-05-30T07:06:43.497-07:00<span style="font-size:85%;"><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070530/zenturi.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070530/zenturitxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-8148973659992858773?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com257tag:blogger.com,1999:blog-3801485324556381326.post-37399680484947317342007-05-29T12:18:00.000-07:002007-05-30T03:17:13.669-07:00<span style="font-size:85%;"><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070529/edrawhttp.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070529/edrawhttptxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-3739968048494731734?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com116tag:blogger.com,1999:blog-3801485324556381326.post-84216222392623582972007-05-28T11:31:00.000-07:002007-05-30T02:30:40.059-07:00<span style="font-size:85%;"><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070528/edraw.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070528/edrawtxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-8421622239262358297?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com135tag:blogger.com,1999:blog-3801485324556381326.post-10872830470136133142007-05-27T18:13:00.000-07:002007-05-28T09:13:24.899-07:00<span style="font-size:85%;"><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070527/leadrasterisis.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070527/leadrasterisistxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-1087283047013613314?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com115tag:blogger.com,1999:blog-3801485324556381326.post-15776916437319311132007-05-26T15:14:00.000-07:002007-05-27T06:14:14.361-07:00<span style="font-size:85%;"><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070526/leadocr.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070526/leadocrtxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-1577691643731931113?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com124tag:blogger.com,1999:blog-3801485324556381326.post-18719849958739152392007-05-25T14:18:00.000-07:002007-05-25T05:07:16.448-07:00<span style="font-size:85%;"><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070525/leadrdfd.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070525/leadrdfdtxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-1871984995873915239?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com74tag:blogger.com,1999:blog-3801485324556381326.post-21926652482221193062007-05-24T12:42:00.000-07:002007-05-24T03:41:01.517-07:00<span style="font-size:85%;"><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070524/leaddfo.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070524/leaddfotxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-2192665248222119306?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com86tag:blogger.com,1999:blog-3801485324556381326.post-66891774135880191522007-05-23T11:15:00.000-07:002007-05-23T02:14:34.228-07:00<span style="font-family: courier new;font-size:85%;" >E alla fine arriva Microsoft :-)<br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070523/ouactrl.html">Dimostrazione online</a><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070523/ouactrltxt.html">Formato testo</a><br /><br />Contenuto dei registri:<br /></span><pre style="font-family: courier new;" id="line21"><span style="font-size:85%;">EAX 00000000<br />ECX 7E39EC0C USER32.7E39EC0C<br />EDX 7C91EB94 ntdll.KiFastSystemCallRet<br />EBX 38CFD2D0 OUACTRL.38CFD2D0<br />ESP 01D0F434 UNICODE "aaaa..."<br />EBP 00610061<br />ESI 02ACC86C<br />EDI 00000000<br /><br />EIP 00610061</span></pre><span style="font-size:85%;"><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-6689177413588019152?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com68tag:blogger.com,1999:blog-3801485324556381326.post-6889136774334760692007-05-22T15:56:00.000-07:002007-05-25T02:18:36.368-07:00<span style="font-size:85%;"><span style="font-family:courier new;">Bonus</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070522/dartziplite.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070522/dartziplitetxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-688913677433476069?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com26tag:blogger.com,1999:blog-3801485324556381326.post-78894893323775901982007-05-22T10:31:00.000-07:002007-05-22T01:30:49.481-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Oggi non ho voglia di commentare...</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070522/leadisis.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070522/leadisistxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7889489332377590198?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com38tag:blogger.com,1999:blog-3801485324556381326.post-75395272837619780982007-05-21T12:24:00.000-07:002007-05-21T03:23:38.477-07:00<span style="font-size:85%;"><span style="font-family: courier new;">E' possibile, usando il metodo "<span style="font-weight: bold;">WriteDataToFile</span>" di questo ActiveX, sovrascrivere con dati random il contenuto di file arbitrariamente.</span><br /><span style="font-family: courier new;">Tale operazione risulta rischiosa in quanto, modificando il contenuto di file come system.ini, si può compromettere il funzionamento del pc di un utente.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070521/ltrvol.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070521/ltrvoltxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7539527283761978098?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com24tag:blogger.com,1999:blog-3801485324556381326.post-66929423704694974562007-05-20T19:44:00.000-07:002007-05-18T10:45:47.732-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Stessa ragione del post MoAxB #19 :)</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070520/leadraster.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070520/leadrastertxt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-6692942370469497456?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com26tag:blogger.com,1999:blog-3801485324556381326.post-18502995956941670232007-05-19T19:42:00.000-07:002007-05-18T10:42:58.679-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Siccome nei prossimi due giorni non avro accesso a pc di sorta, pubblico in anticipo i bug relativi al 19 e 20 Maggio 2007.</span><br /><span style="font-family: courier new;">Il titolo parla da solo :)</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070519/lademthumb.html">Dimostrazione online</a><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070519/lademthumbtxt.html"><br />Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-1850299595694167023?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com64tag:blogger.com,1999:blog-3801485324556381326.post-67285851968439567282007-05-18T13:26:00.000-07:002007-05-18T04:25:43.747-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Questo ActiveX consente di gestire immagine anche da web browser.</span><br /><span style="font-family: courier new;">Il metodo "BitmapDataPath" è vulnerabile a stack-based buffer overflow che consente l'esecuzione di codice arbitrario sul pc di un utente.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070518/lead.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070518/leadtxt.html">Formato testo</a></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-6728585196843956728?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com44tag:blogger.com,1999:blog-3801485324556381326.post-19627163212637612372007-05-17T10:52:00.000-07:002007-05-17T01:53:14.819-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Un'altra dll (ltmm15.dll) distribuita col DMM Sienzo risulta vulnerabile ad uno stack-based buffer overflow che consente l'esecuzione di codice arbitrario sul pc di un utente che avesse installato questo software.</span><br /><span style="font-family: courier new;">Il vendor continua a non rispondere.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070517/sienzo2.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070517/sienzo2txt.html">Formato testo</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-1962716321263761237?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com21tag:blogger.com,1999:blog-3801485324556381326.post-39243799257641829812007-05-16T14:38:00.000-07:002007-05-16T05:37:28.246-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Un bonus</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070516/precisionafo.html">Dimostrazione online</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-3924379925764182981?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com21tag:blogger.com,1999:blog-3801485324556381326.post-88213003611554102802007-05-16T14:27:00.000-07:002007-05-16T05:26:47.095-07:00<span style="font-size:85%;"><span style="font-family: courier new;">In data 14/05/2007 è stata rilasciata una nuova versione di questo ActiveX, la 1.9</span><br /><span style="font-family: courier new;">Come un altro componente dello stesso produttore, è soggetto ad uno stack-based buffer overflow che può consentire l'esecuzione di codice arbitrario sul pc di un utente.</span><br /><span style="font-family: courier new;">L'exploit è stato provato su IE6, testandolo su IE7 il browser smette di rispondere.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070516/precision.html">Dimostrazione online</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-8821300361155410280?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com94tag:blogger.com,1999:blog-3801485324556381326.post-59741534960690324842007-05-15T13:36:00.000-07:002007-05-15T04:35:40.239-07:00<span style="font-size:100%;"><span style="font-family:courier new;">E' possibile, usando il metodo "SaveToFile" di questo ActiveX, sovrascrivere con dati random il contenuto</span> di file arbitrariamente.<br /><span style="font-family:courier new;">Tale operazione risulta rischiosa in quanto, modificando il contenuto di file come system.ini, si può compromettere il funzionamento del pc di un utente.<br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070515/dbsoftware.html">Dimostrazione online</a><br /></span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-5974153496069032484?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com28tag:blogger.com,1999:blog-3801485324556381326.post-29840895591872673372007-05-14T13:15:00.000-07:002007-05-14T04:15:04.928-07:00<span style="font-size:85%;">Questo ActiveX serve a comparare due database e il metodo "ConnectToDatabase" è vulnerabile a Buffer Overflow che consente l'esecuzione di codice arbitrario sul pc di un utente.<br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070514/clever.html">Dimostrazione online</a><br /><br />Contenuto dei registri al momento del crash:</span><span style="font-size:78%;"><br /></span><pre id="line1"><span style="font-size:78%;">12:58:35.492 pid=0570 tid=07FC EXCEPTION (first-chance)<br /> ----------------------------------------------------------------<br /> Exception C0000005 (ACCESS_VIOLATION reading [41414141])<br /> ----------------------------------------------------------------<br /> EAX=01D04141: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00<br /> EBX=41418282: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> ECX=01D0EA01: 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41<br /> EDX=00000001: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> ESP=01D0E510: 58 DD 0A 03 41 41 41 41-41 41 41 41 00 00 14 00<br /> EBP=01D0E540: E0 EA D0 01 28 6F 93 03-41 41 41 41 58 DD 0A 03<br /> ESI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> EDI=030ADD58: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00<br /> EIP=039316BC: 38 0E 74 1F 66 85 D2 6A-00 74 07 68 C8 32 95 03<br /> --> CMP [ESI],CL<br /> ----------------------------------------------------------------<br /><br />12:58:35.492 pid=0570 tid=07FC EXCEPTION (first-chance)<br /> ----------------------------------------------------------------<br /> Exception C0000005 (ACCESS_VIOLATION reading [41414141])<br /> ----------------------------------------------------------------<br /> EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> EDX=7C9137D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00<br /> ESP=01D0E140: BF 37 91 7C 28 E2 D0 01-28 EC D0 01 44 E2 D0 01<br /> EBP=01D0E160: 10 E2 D0 01 8B 37 91 7C-28 E2 D0 01 28 EC D0 01<br /> ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??<br /> --> N/A<br /> ----------------------------------------------------------------</span></pre><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-2984089559187267337?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com69tag:blogger.com,1999:blog-3801485324556381326.post-48925755071736392302007-05-13T11:45:00.000-07:002007-05-13T02:45:17.847-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Altro ActiveX per barcode...</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070513/IDAutomation.html">Dimostrazione online</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-4892575507173639230?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com64tag:blogger.com,1999:blog-3801485324556381326.post-90041058626724184842007-05-12T10:12:00.000-07:002007-05-12T01:12:16.133-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Un altro ActiveX col quale è possibile creare barcode. Come si può vedere, con l'exploit riusciamo a sovrascrivere EAX quindi non escludo la possibilità di esecuzione di codice arbitrario.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070512/precision.html">Dimostrazione online</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-9004105862672418484?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com28tag:blogger.com,1999:blog-3801485324556381326.post-91943325756654632692007-05-11T18:17:00.000-07:002007-05-11T09:16:04.621-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Questo ActiveX viene distribuito col player in oggetto.</span><br /><br /><span style="font-family: courier new;">L'autore/scopritore del bug e </span><span style="font-weight: bold; font-family: courier new;">rgod</span><br /><br /><span style="font-family: courier new;">Ecco il link all'exploit:</span><br /><a style="font-family: courier new;" href="http://retrogod.altervista.org/ie_gdivx_activex_bof.html">http://retrogod.altervista.org/ie_gdivx_activex_bof.html</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-9194332575665463269?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com11tag:blogger.com,1999:blog-3801485324556381326.post-71584162950170954592007-05-11T12:13:00.000-07:002007-05-11T09:17:00.379-07:00<span style="font-size:85%;"><span style="font-family:courier new;">E' possibile, usando il metodo "Save" di questo ActiveX, sovrascrivere con dati random il contenuto</span> di file arbitrariamente.<br /><span style="font-family:courier new;">Tale operazione risulta rischiosa in quanto, modificando il contenuto di file come system.ini, si può compromettere il funzionamento del pc di un utente.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070511/morovia.html">Dimostrazione online</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7158416295017095459?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com13tag:blogger.com,1999:blog-3801485324556381326.post-70706638818649339912007-05-10T14:04:00.000-07:002007-05-10T05:03:49.761-07:00<span style="font-size:85%;"><span style="font-family:courier new;">Anche questo controllo è un VNC manager e anche questo è vulnerabile a stack overflow.</span><br /><span style="font-family:courier new;">Giostrando la lunghezza della stringa si possono controllare di volta in volta diversi registri, quindi non escludo la possibilità di esecuzione di codice arbitrario.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070510/rControl.html">Dimostrazione Online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070510/rControl.txt">Formato testo</a><br /><br /><span style="font-family:courier new;">P.S.</span><br /><span style="font-family:courier new;">Se si prova con una stringa inferiore a 4000 caratteri si verifica uno strano crash. Sembra un heap overflow nella ntdll.dll ma non ne sono sicuro e non ho tempo di indagare a fondo :)</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7070663881864933991?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com25tag:blogger.com,1999:blog-3801485324556381326.post-42200307108851134202007-05-09T10:18:00.000-07:002007-05-09T01:19:03.196-07:00<span style="font-size:85%;"><span style="font-family: courier new;">Questo controllo consente di creare, visualizzare e stampare codici a barre. Il metodo "verify" di questo controllo è vulnerabile a buffer overflow grazie al quale il registro EIP viene sovrascritto dando la possibilità di eseguire codice arbitrario.</span><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070509/barcodewiz.html"><span style="font-family: courier new;">Dimostrazione online</span></a><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070509/barcodewiz.txt"><span style="font-family: courier new;">Formato txt</span></a><br /><br /><span style="font-family: courier new;">Ecco la situazione dei registri al momento del crash:</span><br /><br /><span style="font-size:78%;"><span style="font-family: courier new;">14:39:21.000 pid=1244 tid=1534 EXCEPTION (first-chance)</span><br /><span style="font-family: courier new;"> ----------------------------------------------------------------</span><br /><span style="font-family: courier new;"> Exception C0000005 (ACCESS_VIOLATION reading [61616239])</span><br /><span style="font-family: courier new;"> ----------------------------------------------------------------</span><br /><span style="font-family: courier new;"> EAX=61616161: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family: courier new;"> EBX=03558474: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00</span><br /><span style="font-family: courier new;"> ECX=01D1E375: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00</span><br /><span style="font-family: courier new;"> EDX=01D1F020: 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41</span><br /><span style="font-family: courier new;"> ESP=01D1F014: 00 00 00 00 1C 0A 57 03-70 1B EB 03 41 41 41 41</span><br /><span style="font-family: courier new;"> EBP=01D1F420: 41 41 41 41 41 41 41 41-61 61 61 61 41 41 41 41</span><br /><span style="font-family: courier new;"> ESI=770F4C3B: 8B FF 55 8B EC 8B 45 08-85 C0 74 05 8B 40 FC D1</span><br /><span style="font-family: courier new;"> EDI=01D1F010: 7C 9E 55 03 00 00 00 00-1C 0A 57 03 70 1B EB 03</span><br /><span style="font-family: courier new;"> EIP=03E9F9C6: 8B 88 D8 00 00 00 52 8B-01 FF 50 0C 85 C0 8B 45</span><br /><span style="font-family: courier new;"> --> MOV ECX,[EAX+000000D8]</span><br /><span style="font-family: courier new;"> ----------------------------------------------------------------</span><br /><br /><span style="font-family: courier new;">14:39:21.000 pid=1244 tid=1534 EXCEPTION (first-chance)</span><br /><span style="font-family: courier new;"> ----------------------------------------------------------------</span><br /><span style="font-family: courier new;"> Exception C0000005 (ACCESS_VIOLATION reading [62626262])</span><br /><span style="font-family: courier new;"> ----------------------------------------------------------------</span><br /><span style="font-family: courier new;"> EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family: courier new;"> EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family: courier new;"> ECX=62626262: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family: courier new;"> EDX=7C9137D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00</span><br /><span style="font-family: courier new;"> ESP=01D1EC44: BF 37 91 7C 2C ED D1 01-94 F8 D1 01 48 ED D1 01</span><br /><span style="font-family: courier new;"> EBP=01D1EC64: 14 ED D1 01 8B 37 91 7C-2C ED D1 01 94 F8 D1 01</span><br /><span style="font-family: courier new;"> ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family: courier new;"> EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family: courier new;"> EIP=62626262: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family: courier new;"> --> N/A</span><br /><span style="font-family: courier new;"> ----------------------------------------------------------------</span></span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-4220030710885113420?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com56tag:blogger.com,1999:blog-3801485324556381326.post-80037402358644308072007-05-08T10:26:00.000-07:002007-05-08T01:26:21.946-07:00<span style="font-size:85%;"><span style="font-weight: bold;font-family:courier new;" >-----------------------------------------------------------------------------</span><br /><span style="font-weight: bold;font-family:courier new;" > SmartCode VNC Manager 3.6 (scvncctrl.dll) Denial of service</span><br /><span style="font-weight: bold;font-family:courier new;" > url: http://www.s-code.com/</span><br /><span style="font-weight: bold;font-family:courier new;" > price: from $98.94 to $2,500</span><br /><br /><span style="font-weight: bold;font-family:courier new;" > author: shinnai</span><br /><span style="font-weight: bold;font-family:courier new;" > mail: shinnai[at]autistici[dot]org</span><br /><span style="font-weight: bold;font-family:courier new;" > site: http://shinnai.altervista.org</span><br /><br /><span style="font-weight: bold;font-family:courier new;" > Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 </span><br /><span style="font-weight: bold;font-family:courier new;" >-----------------------------------------------------------------------------</span><br /><br /><span style="font-family:courier new;">La maggior parte dei metodi di questo activex sono vulnerabili a DoS. L'exploit</span> <span style="font-family:courier new;">che riporto consente di controllare il contenuto di EAX e ECX ma lo scenario </span><span style="font-family:courier new;">varia a seconda della lunghezza della stringa passata.<br /></span><span style="font-family:courier new;">Lo propongo come DoS ma non escludo la possibilità di trovare il modo di</span> <span style="font-family:courier new;">eseguire codice arbitrario.<br /></span><br /><a href="http://www.shinnai.altervista.org/moaxb/20070508/scvncctrl.html"><span style="font-family:courier new;">Dimostrazione online</span></a><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070508/scvncctrl.txt"><span style="font-family:courier new;">Formato txt</span></a><br /><br /><span style="font-family:courier new;">Ecco il contenuto dei registri al momento del crash</span>:<br /><br /><span style="font-family:courier new;">EAX 61616161</span><br /><span style="font-family:courier new;">ECX 62626262</span><br /><span style="font-family:courier new;">EDX 02DFECA0 ASCII "aaaabbbbBBB..." </span><br /><span style="font-family:courier new;">EBX 02DF0000</span><br /><span style="font-family:courier new;">ESP 0173F068</span><br /><span style="font-family:courier new;">EBP 0173F288</span><br /><span style="font-family:courier new;">ESI 02DFEC98 ASCII "AAAAAAAAaaaabbbbBBB..."</span><br /><span style="font-family:courier new;">EDI 00000221</span><br /><br /><span style="font-family:courier new;">EIP 7C92142E ntdll.7C92142E</span><br /><br /><span style="font-family:courier new;">7C92142E 8B39 MOV EDI,DWORD PTR DS:[ECX] <-- CRASH</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-8003740235864430807?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com20tag:blogger.com,1999:blog-3801485324556381326.post-72863834014403800662007-05-07T09:48:00.000-07:002007-05-07T00:47:35.690-07:00<span style="font-size:85%;"><span style="font-family:courier new;">Riporto, in questo exploit, solo il contenuto dei registri visto che credo sia chiaro che l'esecuzione di codice arbitrario è possibile.</span><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070507/ufile.html"><span style="font-family:courier new;">Dimostrazione online</span></a><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070507/ufile.txt"><span style="font-family:courier new;">Formato txt</span></a><br /><br /><span style="font-size:78%;"><span style="font-family:courier new;">11:40:51.172 pid=08E4 tid=0AB0 EXCEPTION (first-chance)</span><br /><span style="font-family:courier new;"> ----------------------------------------------------------------</span><br /><span style="font-family:courier new;"> Exception C0000005 (ACCESS_VIOLATION reading [41414141])</span><br /><span style="font-family:courier new;"> ----------------------------------------------------------------</span><br /><span style="font-family:courier new;"> EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family:courier new;"> EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family:courier new;"> ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family:courier new;"> EDX=7C9137D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00</span><br /><span style="font-family:courier new;"> ESP=0173E26C: BF 37 91 7C 54 E3 73 01-84 F2 73 01 70 E3 73 01</span><br /><span style="font-family:courier new;"> EBP=0173E28C: 3C E3 73 01 8B 37 91 7C-54 E3 73 01 84 F2 73 01</span><br /><span style="font-family:courier new;"> ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family:courier new;"> EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family:courier new;"> EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><br /><span style="font-family:courier new;"> --> N/A</span><br /><span style="font-family:courier new;"> ----------------------------------------------------------------</span></span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7286383401440380066?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com57tag:blogger.com,1999:blog-3801485324556381326.post-73431823845861338602007-05-06T10:26:00.000-07:002007-05-06T01:26:14.064-07:00<span style="font-size:85%;"><span style="font-family: courier new;">DSKernel2.dll, distribuita con l'ultima versione del software in oggetto, contiene due metodi che sono vulnerabili ad uno stack-based overflow che consente l'esecuzione di codice arbitrario sul pc dell'utente.</span><br /><span style="font-family: courier new;">I metodi sono "LockModules" e "UnlockModule" ai quali, passando una stringa rispettivamente di 263 e 296 caratteri, causano lo stack overflow.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070506/sienzo.txt">Formato txt</a><br /><br /><span style="font-family: courier new;">Il contenuto dei registri al momento del crash è:</span><br /><span style="font-family: courier new;">per "Lockmodules:</span><br /><br /><span style="font-family: courier new;">EAX 00000000</span><br /><span style="font-family: courier new;">ECX 7C92056D ntdll.7C92056D</span><br /><span style="font-family: courier new;">EDX 03CF0000</span><br /><span style="font-family: courier new;">EBX 00000000</span><br /><span style="font-family: courier new;">ESP 0173E554 ASCII "BBB..."</span><br /><span style="font-family: courier new;">EBP 41414141</span><br /><span style="font-family: courier new;">ESI 0173E560 ASCII "BBBB..."</span><br /><span style="font-family: courier new;">EDI 00000600</span><br /><br /><span style="font-family: courier new;">EIP 62626262</span><br /><br /><span style="font-family: courier new;">-----------------------------------------------------</span><br /><br /><span style="font-family: courier new;">per "UnlockModule":</span><br /><br /><span style="font-family: courier new;">EAX 80070057</span><br /><span style="font-family: courier new;">ECX 02D56F1A UNICODE " ((((( H"</span><br /><span style="font-family: courier new;">EDX 0173EC48</span><br /><span style="font-family: courier new;">EBX 02D3D250 DSKernel.02D3D250</span><br /><span style="font-family: courier new;">ESP 0173ED80 ASCII "BBB..."</span><br /><span style="font-family: courier new;">EBP 41414141</span><br /><span style="font-family: courier new;">ESI 0173F064</span><br /><span style="font-family: courier new;">EDI 00000000</span><br /><br /><span style="font-family: courier new;">EIP 62626262</span><br /><br /><span style="font-family: courier new;">Il resto è storia...</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7343182384586133860?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com14tag:blogger.com,1999:blog-3801485324556381326.post-54878664538803683742007-05-05T11:55:00.000-07:002007-05-05T02:56:40.630-07:00<span style="font-size:85%;"><span style="font-family:courier new;">Bene, volevo lasciare i bug più interessanti per la seconda metà del mese ma, siccome sta nascendo un putiferio (sul mio modo di parlare in inglese e sulle mie capacità tecniche), posto un exploit che sfrutta uno stack overflow causato dall'ocx per eseguire codice arbitrario su un pc.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070505/east.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070505/east.txt">Formato txt</a><br /><br /><span style="font-family:courier new;">Analizziamo meglio lo scenario: al momento del crash la situazione dei registri è la seguente:</span><br /><br /><span style="font-family:courier new;font-size:78%;">14:51:52.171 pid=0A90 tid=0E40 EXCEPTION (first-chance)</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> Exception C0000005 (ACCESS_VIOLATION reading [616165E5])</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EAX=61616161: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBX=0174EDE0: 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ECX=000035D1: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDX=01750110: 6F 00 F2 00 ED F2 F2 00-ED F2 F2 00 ED F2 F2 00</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESP=0174EA40: 10 EB FF 02 1C EB 74 01-61 1E 94 7C 1C EB 74 01</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBP=0174EDB8: 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESI=00000008: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDI=02FE056E: 20 20 20 20 3C 2F 70 3E-0D 0A 20 20 20 20 20 20</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EIP=03D2187D: 8B 90 84 04 00 00 8D 88-7C 04 00 00 85 D2 7E 09</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> --> MOV EDX,[EAX+00000484]</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /><br /></span><span style="font-family:courier new;font-size:78%;">14:51:52.171 pid=0A90 tid=0E40 EXCEPTION (first-chance)</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> Exception C0000005 (ACCESS_VIOLATION reading [42424242])</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ECX=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDX=7C9137D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESP=0174E670: BF 37 91 7C 58 E7 74 01-AC ED 74 01 74 E7 74 01</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBP=0174E690: 40 E7 74 01 8B 37 91 7C-58 E7 74 01 AC ED 74 01</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> --> N/A</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><br /><br /><span style="font-family:courier new;">Come potete notare, l'errore avviene nel momento in cui si cerca di leggere il contenuto di EAX mentre, nel passo successivo, vediamo EIP sovrascritto con dati arbitrari.</span><br /><span style="font-family:courier new;">Bene, la prima cosa da fare è passare ad EAX un "readable" address, così da superare la prima limitazione.</span><br /><span style="font-family:courier new;">Passiamo allora 0x77D7AAEB call ESP (from user32.dll) e vediamo cosa succede ai registri:</span><br /><br /><span style="font-family:courier new;font-size:78%;">15:03:32.855 pid=0A98 tid=06E0 EXCEPTION (first-chance)</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> Exception C0000005 (ACCESS_VIOLATION reading [63636363])</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EAX=73E186D4: 00 00 00 00 84 6A DF 73-00 00 00 00 2E 3F 41 56</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDX=7608F260: 10 05 46 03 FF FF FF FF-00 00 00 00 00 00 00 00</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESP=0174EDEC: 90 EB 03 59 EB 05 E8 F8-FF FF FF 4F 49 49 49 49</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> --> N/A</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /><br /></span><span style="font-family:courier new;font-size:78%;">15:03:32.855 pid=0A98 tid=06E0 EXCEPTION (unhandled)</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> Exception C0000005 (ACCESS_VIOLATION reading [63636363])</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EAX=73E186D4: 00 00 00 00 84 6A DF 73-00 00 00 00 2E 3F 41 56</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDX=7608F260: 10 05 46 03 FF FF FF FF-00 00 00 00 00 00 00 00</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESP=0174EDEC: 90 EB 03 59 EB 05 E8 F8-FF FF FF 4F 49 49 49 49</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EBP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ESI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EDI=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> --> N/A</span><span style="font-size:78%;"><br /></span><span style="font-family:courier new;font-size:78%;"> ----------------------------------------------------------------</span><br /><br /><span style="font-family:courier new;">Bingo! Ora controlliamo EIP e abbiamo in ESP il contenuto della shellcode, il resto è storia...</span><br /><br /><span style="font-family:courier new;">That's all folks!</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-5487866453880368374?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com32tag:blogger.com,1999:blog-3801485324556381326.post-31973528992341946942007-05-04T11:48:00.000-07:002007-05-05T02:52:49.516-07:00<span style="font-size:85%;"><span style="font-family:courier new;">Questo è semplicemente un bonus. Gli advisories originale sono questi:</span><span style="text-decoration: underline;font-family:courier new;" ><br /></span><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/viewtopic.php?id=41&t_id=30">http://www.shinnai.altervista.org/viewtopic.php?id=41&amp;t_id=30</a><br /><a style="font-family: courier new;" href="http://www.milw0rm.com/exploits/3307">http://www.milw0rm.com/exploits/3307</a><br /><span style="font-family:courier new;">poi ne è stato pubblicato uno da Umesh Wanve per Windows 2000 SP4 Server English e Windows 2000 SP4 Professional English qui:</span><br /><a style="font-family: courier new;" href="http://www.milw0rm.com/exploits/3610">http://www.milw0rm.com/exploits/3610</a><br /><span style="font-family:courier new;">e ora ne rilascio una versione per Windows XP Professional SP2.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070504/actsoft.html">Dimostrazione online</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070504/actsoft.txt">Formato txt</a><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-3197352899234194694?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com16tag:blogger.com,1999:blog-3801485324556381326.post-62817786965167484482007-05-04T09:10:00.000-07:002007-05-04T00:12:10.729-07:00<span style="font-size:85%;"><span style="font-family:courier new;">Questo bug si commenta da solo e non ho molto da aggiungere se non che, vista la quantità di critiche mosse al mio inglese, che come avevo preannunciato e sottolineato era meno che scolastico (e vi assicuro che avrei sopportato molto di più critiche ai bug che non al mio modo di parlare in inglese), da ora scriverò gli advisories in italiano, mia madrelingua, così che, chi ne avrà voglia, se li tradurrà da sè.<br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070504/oa.html">Dimostrazione online</a><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070504/oa.txt">Formato txt</a><br /></span><br /><span style="font-family:courier new;">Ecco il contenuto dei registri al momento del crash dell'applicazione.</span><br /><br /><span style="font-family:courier new;">EAX 000EC484</span><br /><span style="font-family:courier new;">ECX 01642A44</span><br /><span style="font-family:courier new;">EDX 00000000</span><br /><span style="font-family:courier new;">EBX 0173EA68</span><br /><span style="font-family:courier new;">ESP 0173EA3C</span><br /><span style="font-family:courier new;">EBP 0173EC74</span><br /><span style="font-family:courier new;">ESI 000F4241</span><br /><span style="font-family:courier new;">EDI 039F0024 UNICODE "AAA..."</span><br /><br /><span style="font-family:courier new;">EIP 77527420 ole32.77527420</span><br /><br /><span style="font-family:courier new;">77527420 8501 TEST DWORD PTR DS:[ECX],EAX <-- CRASH</span><br /><br /><span style="font-weight: bold;font-family:courier new;" >Devo doverosamente ringraziare The Wanderer al quale ho rotto i cosiddetti per le traduzioni e che ora vede reso inutile il proprio lavoro. Mi spiace e cercherò di farmi perdonare ma, che diavolo, talvolta bisogna essere nazionalisti: sono Italiano, sono fiero di esserlo e chi vuol leggere quello che scrivo se lo traduca da sè o vada a farsi benedire.</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-6281778696516748448?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com23tag:blogger.com,1999:blog-3801485324556381326.post-24412041616577233022007-05-03T09:06:00.000-07:002007-05-03T02:59:56.362-07:00<span style="font-size:85%;"><span style="font-family:courier new;">This component allows you to visualize, create and modify doc files.</span><br /><span style="font-family:courier new;">Some methods are unable to handle exceptional conditions, and this causes the crash of the application that uses this component.</span><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070503/doc.html">Online demonstration</a><br /><br /><a style="font-family: courier new;" href="http://www.shinnai.altervista.org/moaxb/20070503/doc.txt">Text format</a><br /><br /><span style="font-family:courier new;">This is the content of registers when the crash happens:</span><br /><br /><span style="font-family:courier new;">EAX 003042D4</span><br /><span style="font-family:courier new;">ECX 01642A24</span><br /><span style="font-family:courier new;">EDX 00000000</span><br /><span style="font-family:courier new;">EBX 0173EA48</span><br /><span style="font-family:courier new;">ESP 0173EA1C</span><br /><span style="font-family:courier new;">EBP 0173EC54</span><br /><span style="font-family:courier new;">ESI 00200169</span><br /><span style="font-family:courier new;">EDI 03F2002C UNICODE "AAA..."</span><br /><br /><span style="font-family:courier new;">EIP 77527420 ole32.77527420</span><br /><br /><span style="font-family:courier new;">77527420 8501 TEST DWORD PTR DS:[ECX],EAX <-- CRASH</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-2441204161657723302?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com143tag:blogger.com,1999:blog-3801485324556381326.post-78307594294763973222007-05-02T09:26:00.000-07:002007-05-03T02:59:35.045-07:00<span style="font-size:85%;"><span style="font-family:courier new;">This component allows you to visualize, create and modify xls files.<br /></span><span style="font-family:courier new;">Some methods are unable to handle exceptional conditions, and this causes the</span> <span style="font-family:courier new;">crash of the application that uses this component.<br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070502/xls.html">Online demonstration</a><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070502/xls.txt">Text version</a><br /><br /></span><span style="font-family:courier new;">This is the content of registers when the crash happens:</span><br /><br /><span style="font-family:courier new;">EAX 003042D4</span><br /><span style="font-family:courier new;">ECX 01642A34</span><br /><span style="font-family:courier new;">EDX 00000000</span><br /><span style="font-family:courier new;">EBX 0173EA58</span><br /><span style="font-family:courier new;">ESP 0173EA2C</span><br /><span style="font-family:courier new;">EBP 0173EC64</span><br /><span style="font-family:courier new;">ESI 00200169</span><br /><span style="font-family:courier new;">EDI 03C20024 UNICODE "AAA..."</span><br /><br /><span style="font-family:courier new;">EIP 77527420 ole32.77527420</span><br /><br /><span style="font-family:courier new;">77527420 8501 TEST DWORD PTR DS:[ECX],EAX <-- CRASH</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7830759429476397322?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com14tag:blogger.com,1999:blog-3801485324556381326.post-75491851673699212992007-05-01T12:24:00.000-07:002007-05-03T02:58:34.552-07:00<span style="font-size:85%;"><span style="font-family:courier new;">well, let's start the MoAxB with a DoS. This component allows you to visualize, </span><span style="font-family:courier new;">create and modify ppt files.</span><br /><span style="font-family:courier new;">Some methods are unable to handle exceptional conditions, and this causes the </span><span style="font-family:courier new;">crash of the application that uses this component.<br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070501/ppt.html">Online demonstration</a><br /><br /><a href="http://www.shinnai.altervista.org/moaxb/20070501/ppt.txt">Text format</a><br /></span><br /><span style="font-family:courier new;">This is the content of registers when the crash happens:</span><br /><br /><span style="font-family:courier new;">EAX 000EC484</span><br /><span style="font-family:courier new;">ECX 01642A38</span><br /><span style="font-family:courier new;">EDX 00000000</span><br /><span style="font-family:courier new;">EBX 0173EA5C</span><br /><span style="font-family:courier new;">ESP 0173EA30</span><br /><span style="font-family:courier new;">EBP 0173EC68</span><br /><span style="font-family:courier new;">ESI 000F4241</span><br /><span style="font-family:courier new;">EDI 039E0024 UNICODE "AAA..."</span><br /><br /><span style="font-family:courier new;">EIP 77527420 ole32.77527420</span><br /><br /><span style="font-family:courier new;">77527420 8501 TEST DWORD PTR DS:[ECX],EAX <-- CRASH</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7549185167369921299?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com24tag:blogger.com,1999:blog-3801485324556381326.post-79363527219999453282007-04-19T10:29:00.000-07:002007-05-02T02:51:15.868-07:00<span style="font-size:85%;"><span style="font-family:courier new;">well, first of all sorry for my poor english then some informations about <a href="http://en.wikipedia.org/wiki/ActiveX_control">activex controls from wikipedia</a>.<br /></span><span style="font-family:courier new;">so I'm here and I'm proud to announce that on 2007 MAY will start the Month of ActiveX Bug (<span style="font-weight: bold;">MoAxB</span>).</span><br /><span style="font-family:courier new;">most of them are simple DoS (don't worry there are also some code execution) but that's because MoAxB has only a sense: to inform developers about the risk of using activex controls.</span><br /><span style="font-family:courier new;">naturally everyone's invited to post activex bug or to ask for information or simply to post comments.</span><br /><br /><span style="font-family:courier new;">Greetz to:</span><br /><span style="font-family:courier new;">my wife and my </span><span style="font-family:courier new;"> daughter</span></span><span style="font-size:85%;"><span style="font-family:courier new;"> for all the love they give to me and for their patience</span><br /><br /><span style="font-family:courier new;">in alphabetical order :)</span><br /><span style="font-family:courier new;">auron, GiampaZ, hawake, ppanico2, redeemer, rgod, str0ke, The Wanderer, wicker25 and to all I forgot to mention for their support and friendship.</span><br /><br /><span style="font-family:courier new;">now be safe brothers, see you on 2007/05/01</span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/3801485324556381326-7936352721999945328?l=moaxb.blogspot.com' alt='' /></div>shinnainoreply@blogger.com11