Packet Storm - Information Security News, Files, Tools, Exploits, Advisories and Whitepapers http://packetstormsecurity.org/ en-us Mon, 28 May 2012 07:56:10 GMT 144400 http://packetstormsecurity.org/ http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=1383277346&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=Operating%20System%3A%20Windows%20XP%u2248%20Packet%20Storm&utmhn=packetstormsecurity.org&utmr=-&utmp=%2Ffiles%2Fos%2Fxp%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.1383277346.1338191770.1338191770.1338191770.1%3B%2B__utmz%3D32867617.1338191770.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none) http://packetstormsecurity.org/files/113002/openoffice_ole.rb.txt http://packetstormsecurity.org/files/113002/openoffice_ole.rb.txt http://packetstormsecurity.org/files/113002/OpenOffice-OLE-Importer-DocumentSummaryInformation-Stream-Handling-Overflow.html Thu, 24 May 2012 02:44:45 GMT This Metasploit module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on Microsoft Windows XP SP3. By supplying a OLE file with a malformed DocumentSummaryInformation stream, an attacker can gain control of the execution flow, which results arbitrary code execution under the context of the user. http://packetstormsecurity.org/files/112968/novell491-escalate.txt http://packetstormsecurity.org/files/112968/novell491-escalate.txt http://packetstormsecurity.org/files/112968/Novell-Client-4.91-SP3-4-Privilege-Escalation.html Wed, 23 May 2012 02:49:43 GMT Novell Client version 4.91 SP3/4 privilege escalation exploit for Win2K3 and WinXP. http://packetstormsecurity.org/files/112967/winxpkeyboard.zip http://packetstormsecurity.org/files/112967/winxpkeyboard.zip http://packetstormsecurity.org/files/112967/Windows-XP-Keyboard-Layouts-Pool-Corruption-Proof-Of-Concept.html Wed, 23 May 2012 02:45:29 GMT This proof of concept code demonstrates a Microsoft Windows XP keyboard layouts pool corruption vulnerability, post MS12-034. The vulnerability exists in the function win32k!ReadLayoutFile() that parses keyboard layout file data. http://packetstormsecurity.org/files/112747/VMRL-applequicktime.txt http://packetstormsecurity.org/files/112747/VMRL-applequicktime.txt http://packetstormsecurity.org/files/112747/Apple-Quicktime-.pct-Parsing-Memory-Corruption.html Tue, 15 May 2012 22:38:03 GMT Apple Quicktime does not properly parse .pct media files, which causes a corruption in module DllMain by opening a malformed file with an invalid value located in PoC repro01.pct at offset 0x20E. Quicktime Player version 7.7.1 (1680.42) on Windows XP SP 3 - PT_BR is confirmed affected. Other versions may also be affected. http://packetstormsecurity.org/files/112409/win32k-dos.txt http://packetstormsecurity.org/files/112409/win32k-dos.txt http://packetstormsecurity.org/files/112409/Microsoft-Windows-XP-Win32k.sys-Denial-Of-Service.html Wed, 02 May 2012 21:06:58 GMT Microsoft Windows XP Win32k.sys local kernel denial of service exploit. http://packetstormsecurity.org/files/109641/citrix_streamprocess_data_msg.rb.txt http://packetstormsecurity.org/files/109641/citrix_streamprocess_data_msg.rb.txt http://packetstormsecurity.org/files/109641/Citrix-Provisioning-Services-5.6-SP1-Streamprocess-Opcode-0x40020000-Buffer-Overflow.html Fri, 10 Feb 2012 22:33:19 GMT This Metasploit module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2, Windows 7, and Windows XP SP3. http://packetstormsecurity.org/files/107503/ccmplayer_m3u_bof.rb.txt http://packetstormsecurity.org/files/107503/ccmplayer_m3u_bof.rb.txt http://packetstormsecurity.org/files/107503/CCMPlayer-1.5-Stack-Buffer-Overflow.html Sat, 03 Dec 2011 18:32:22 GMT This Metasploit module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an invalid read of an injectable address, thus allowing arbitrary code execution. This Metasploit module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7. http://packetstormsecurity.org/files/107020/libdvdcss-1.2.11.tar.gz http://packetstormsecurity.org/files/107020/libdvdcss-1.2.11.tar.gz http://packetstormsecurity.org/files/107020/libdvdcss-1.2.11.html Wed, 16 Nov 2011 03:57:26 GMT libdvdcss is a cross-platform library for transparent DVD device access with on-the-fly CSS decryption. It currently runs under Linux, FreeBSD, NetBSD, OpenBSD, BSD/OS, Solaris, BeOS, Win95/Win98, Win2k/WinXP, MacOS X, HP-UX, QNX, and OS/2. It is used by libdvdread and most DVD players such as VLC because of its portability and because, unlike similar libraries, it does not require your DVD drive to be region locked. http://packetstormsecurity.org/files/105666/opera101112-corrupt.rb.txt http://packetstormsecurity.org/files/105666/opera101112-corrupt.rb.txt http://packetstormsecurity.org/files/105666/Opera-Browser-10-11-12-SVG-layout-Memory-Corruption.html Tue, 11 Oct 2011 00:53:53 GMT This Metasploit module exploits a vulnerability in the bad nesting with SVG tags. Successfully exploiting leads to remote code execution or denial of service condition under Windows XP SP3 (DEP = off). http://packetstormsecurity.org/files/105643/acdsee_fotoslate_string.rb.txt http://packetstormsecurity.org/files/105643/acdsee_fotoslate_string.rb.txt http://packetstormsecurity.org/files/105643/ACDSee-FotoSlate-PLP-File-id-Parameter-Overflow.html Mon, 10 Oct 2011 22:35:13 GMT This Metasploit module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via a specially crafted id parameter in a String element. When viewing a malicious PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a buffer and execute arbitrary code. This exploit has been tested on systems such as Windows XP SP3, Windows Vista, and Windows 7. http://packetstormsecurity.org/files/105598/opera1011-corrupt.rb.txt http://packetstormsecurity.org/files/105598/opera1011-corrupt.rb.txt http://packetstormsecurity.org/files/105598/Opera-10-11-Memory-Corruption.html Thu, 06 Oct 2011 20:27:10 GMT This Metasploit module exploits a vulnerability in the nesting of frameset and iframe tags as implemented within Opera Browser. A memory corruption is triggered and some pointers got corrupted with invalid addresses. Successfully exploiting leads to remote code execution or denial of service condition under Windows XP SP3 (DEP = off). http://packetstormsecurity.org/files/105190/realplayer_qcp.rb.txt http://packetstormsecurity.org/files/105190/realplayer_qcp.rb.txt http://packetstormsecurity.org/files/105190/RealNetworks-Realplayer-QCP-Parsing-Heap-Overflow.html Sat, 17 Sep 2011 19:12:17 GMT This Metasploit module exploits a heap overflow in Realplayer when handling a .QCP file. The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is allocated on the heap and user-supplied data from the file is copied within a memory copy loop. This allows a remote attacker to execute arbitrary code running in the context of the web browser via a .QCP file with a specially crafted "fmt" chunk. At this moment this module exploits the flaw on Windows XP IE6, IE7. http://packetstormsecurity.org/files/104726/dvdx_plf_bof.rb.txt http://packetstormsecurity.org/files/104726/dvdx_plf_bof.rb.txt http://packetstormsecurity.org/files/104726/DVD-X-Player-5.5-.plf-PlayList-Buffer-Overflow.html Fri, 02 Sep 2011 15:22:44 GMT This Metasploit module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and Standard. By supplying a long string of data in a plf file (playlist), the MediaPlayerCtrl.dll component will attempt to extract a filename out of the string, and then copy it on the stack without any proper bounds checking, which causes a buffer overflow, and results arbitrary code execution under the context of the user. This Metasploit module has been designed to target common Windows systems such as: Windows XP SP2/SP3, Windows Vista, and Windows 7. http://packetstormsecurity.org/files/103875/mozilla_mchannel.rb.txt http://packetstormsecurity.org/files/103875/mozilla_mchannel.rb.txt http://packetstormsecurity.org/files/103875/Mozilla-Firefox-3.6.16-mChannel-Use-After-Free.html Wed, 10 Aug 2011 15:09:41 GMT This Metasploit module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This Metasploit module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3. http://packetstormsecurity.org/files/103739/firefox3616.rb.txt http://packetstormsecurity.org/files/103739/firefox3616.rb.txt http://packetstormsecurity.org/files/103739/Mozilla-Firefox-3.6.16-mChannel-Use-After-Free-Exploit.html Fri, 05 Aug 2011 16:23:47 GMT This Metasploit module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This Metasploit module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3. http://packetstormsecurity.org/files/102813/defeating_data_execution_prevention_and_aslr_in_windows_xp_sp3.pdf http://packetstormsecurity.org/files/102813/defeating_data_execution_prevention_and_aslr_in_windows_xp_sp3.pdf http://packetstormsecurity.org/files/102813/Defeating-Data-Execution-Prevention-And-ASLR-In-Windows-XP-SP3.html Tue, 05 Jul 2011 14:52:37 GMT Whitepaper called Defeating Data Execution Prevention and ASLR in Windows XP SP3. Data prevention Execution (DEP) and Address space layout randomization (ASLR) are two protection mechanisms integrated in Windows operating system to make more complicated the task of exploiting software. This document show how these two features can be bypassed using different techniques. http://packetstormsecurity.org/files/100917/emc_homebase_exec.rb.txt http://packetstormsecurity.org/files/100917/emc_homebase_exec.rb.txt http://packetstormsecurity.org/files/100917/EMC-HomeBase-Server-Directory-Traversal-Remote-Code-Execution.html Thu, 28 Apr 2011 23:59:52 GMT This Metasploit module exploits a directory traversal and remote code execution flaw in EMC HomeBase Server 6.3.0. Note: This Metasploit module has only been tested against Windows XP SP3 and Windows 2003 SP2. http://packetstormsecurity.org/files/100651/win64calc-shellcode.txt http://packetstormsecurity.org/files/100651/win64calc-shellcode.txt http://packetstormsecurity.org/files/100651/WinXP-64-Bit-Calc.exe-Shellcode.html Wed, 20 Apr 2011 12:11:11 GMT Microsoft Windows XP 64-bit calc.exe shellcode. http://packetstormsecurity.org/files/100564/Old-Dogs-and-New-Tricks.pdf http://packetstormsecurity.org/files/100564/Old-Dogs-and-New-Tricks.pdf http://packetstormsecurity.org/files/100564/Old-Dogs-And-New-Tricks-Do-You-Know-Where-Your-Handles-Are.html Tue, 19 Apr 2011 14:15:39 GMT This paper offers incremental research in the area of untrusted program input via synchronization handle manipulations. Unlike the Michal Zalewski paper on Delivering Signals for Fun and Profit, this paper focuses on the source of the Unix signal handlers. Tested were personal computers running Windows XP and Vista. The synchronization objects were mutexes and events, and the security software included products from AVG, Avast, Avira, BitDefender, BullGuard, CheckPoint, Eset, F-Prot, F-Secure, Kaspersky, McAfee, Microsoft (Security Essentials), Nor- man, Norton, Panda, PC Tools, Quick Heal, Symantec, and Trend Micro. http://packetstormsecurity.org/files/100472/VUPEN-mswotcffdso.txt http://packetstormsecurity.org/files/100472/VUPEN-mswotcffdso.txt http://packetstormsecurity.org/files/100472/Microsoft-Windows-OpenType-CFF-Driver-Stack-Overflow.html Fri, 15 Apr 2011 14:28:37 GMT The VUPEN Vulnerability Research Team discovered a critical vulnerability in Microsoft Windows. The vulnerability is caused by a stack overflow error in the OpenType Compact Font Format (CFF) driver "ATMFD.dll" when processing certain operands within an OpenType font, which could be exploited by remote attackers to execute arbitrary code on a vulnerable Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista systems via a malicious font, or by local attackers to gain elevated privileges on Windows XP and Windows Server 2003 systems via a malicious application. http://packetstormsecurity.org/files/98978/win32eggsearch-shellcode.txt http://packetstormsecurity.org/files/98978/win32eggsearch-shellcode.txt http://packetstormsecurity.org/files/98978/Win32-Eggsearch-Shellcode.html Sun, 06 Mar 2011 20:21:56 GMT 33 bytes small Win32 egg searching shellcode that should work on all service packs of Microsoft Windows XP, 2k, and 2k3. http://packetstormsecurity.org/files/98793/ms11-011.txt http://packetstormsecurity.org/files/98793/ms11-011.txt http://packetstormsecurity.org/files/98793/Microsoft-Windows-XP-WmiTraceMessageVa-Integer-Truncation.html Tue, 01 Mar 2011 15:06:26 GMT Proof of concept exploit that demonstrates the Microsoft Windows XP WmiTraceMessageVa integer truncation vulnerability as described in MS11-011. http://packetstormsecurity.org/files/97396/solarftpserver-bufferoverflow.py.txt http://packetstormsecurity.org/files/97396/solarftpserver-bufferoverflow.py.txt http://packetstormsecurity.org/files/97396/Solar-FTP-Server-2.1-Buffer-Overflow.html Mon, 10 Jan 2011 23:33:33 GMT Solar FTP Server version 2.1 buffer overflow exploit. Tested on Windows XP SP3 EN. http://packetstormsecurity.org/files/97017/windowsnullfree-shellcode.txt http://packetstormsecurity.org/files/97017/windowsnullfree-shellcode.txt http://packetstormsecurity.org/files/97017/Windows-XP-SP3-EN-Null-Free-Connect-Back-Shellcode.html Sat, 25 Dec 2010 17:56:39 GMT 228 bytes small Microsoft Windows XP SP3 EN null-free connect-back shellcode. http://packetstormsecurity.org/files/96493/winxpcalc.c http://packetstormsecurity.org/files/96493/winxpcalc.c http://packetstormsecurity.org/files/96493/Windows-XP-SP3-EN-Calc-Shellcode.html Wed, 08 Dec 2010 19:32:08 GMT 16 bytes small Windows XP SP3 EN calc.exe shellcode.