White Phosphorus

White Phosphorus Exploit Pack是2010年开始为Canvas设计的最新的攻击包。White Phosphorus旨在为客户在进行渗透测试时提供可靠的攻击方式和工具。


White Phosphorus Exploit Pack包括:


White Phosphorus Exploit Pack Highlighted Modules

White Phosphorus Exploit Pack Version 1.12

* wp_hp_dataprotector_stutil *

This module exploits a remote overflow in the HP Data Protector Backup Client OmniInet Service. The vulnerable service listens on port 5555 so is probably only going to be found on an internal network, however it does provide you with a SYSTEM level Mosdef node.

Oh and, there is always the irony of owning someone through enterprise grade backup solution.

* wp_mozilla_firefox_nstreerange (CVE-2011-0073) *

We are very happy to be able to bring you this module that exploits a vulnerable in Firefox versions 3.6.0 through to 3.6.16. This module bypasses DEP and ALSR on anything from Windows XP through to Windows 7 to reliably provide a Mosdef node back to you.

* wp_vlc_mediaplayer_libmod (CVE-2011-1574) *

This module is the 3rd VLC module to enter the White Phosphorus pack and exploits a vulnerability in the libmod_plugin on VLC v1.1.8.


White Phosphorus Exploit Pack Version 1.11

We have been working hard this month on a new ASLR/DEP bypass technique that works against IE8 and IE9. Looking forward to seeing this put to use in some modules in the coming months.

In the meantime this pack includes an exploit for RealWin SCADA Server On_FC_RFUSER_FCS_LOGIN Remote Overflow and a recent exploit for VLC player.


White Phosphorus Exploit Pack Version 1.10

* wp_ie_sandbox_escape *

With the recent publicity around escaping the IE protected mode sandbox, we thought it was time to release a module to provide our customers with the same ability.

This module takes advantage of a weakness in the interaction of different components to provide an escalation from Low integrity level to Medium integrity level. In other words, it escapes the IE8 sandbox.

As this module is independent of any original exploit, it is likely to be successful as an escape from any sandbox restricting the current process to the Low integrity level.

* wp_cisco_webex_wrf (CVE-2010-3269) *

This module exploits the file format overflow in the Cisco WebEX Player that was disclosed by Core. The exploit creates a single file that will exploit the player on all recent windows versions


White Phosphorus Exploit Pack Version 1.09

* wp_vlc_mediaplayer_mkvdemuxer (CVE-2011-0522) *

This module exploits a vulnerability that exists in multiple different version of VLC. Considerable effort went into the development of this module, to the extent that the generated exploit file will successfully work on the last 3 recent release versions.

* Multiple Client Side Modules *

Modules for the following exploits are also included in this pack;
    wp_globalscape_cutezip_zip (CVE-2010-2590)
        - GlobalSCAPE CuteZip v2.1 .zip Clientside Overflow
        - Mini-Stream WM Downloader .m3u Clientside Overflow
        - RealNetworks Netzip Classic Clientside Overflow
        - Virtuosa Phoenix Edition .asx Clientside Overflow
        - xRadio .xrl Clientside Overflow


White Phosphorus Exploit Pack Version 1.08

* wp_wireshark_enttec (CVE-2010-4538) *

There's something quite awesome about exploits that can be sent to every host via a broadcast address. This module exploits the vulnerability in the ENTTEC dissector on version 1.4.2 on Windows XP machines and will return a shell from any machines running the vulnerable version of the sniffer.

Unfortunately it will cause a DOS on anything other OS or version, which can be still useful to disable network monitoring.

* wp_winlog_scada_server *

Another SCADA exploit for those rare times when they come in scope of your testing. This module reliably exploits Sielco Sistemi Winlog running on most current windows versions.


White Phosphorus Exploit Pack Version 1.07

* wp_ie_css_import *

And they thought it was a Dos only. This latest White Phosphorus exploit module gives you a reliable shell exploiting this still unpatched IE browser bug. We've had this in testing for the last few days, and a proud to release it with targets for bypassing DEP and ASLR against IE 7 and 8 running on Windows XP, Windows Vista and Windows 7. Merry Christmas.

* wp_exim4_string_format (CVE-2010-4344) *

Things just wouldn't be complete without a module that exploits this bug that has been around for so long. Its not often that a reliable remote in a exposed service such as this comes along, so just the thing for a Christmas release.

* wp_foxit_title *

This release also includes another Foxit pdf reader exploit module. This one targets the previous Foxit version and is reliable on Windows XP, Vista and Windows 7. And for those targets using Foxit on windows XP, our 0day wp_foxit_XXXXX module still successfully exploits the latest version.


White Phosphorus Exploit Pack Version 1.06

* wp_struts2_cmdexec (CVE-2010-1870) *

This module has been designed for use in real environments, which are typically firewalled. The payload options include blind cmd execution, various reverse shell options, and the ability to upload a web shell and automatically locate and deploy into the target web root.

* wp_nuance_pdf_reader_launch *

Is any pdf reader safe? This new module complements the numerous other PDF attack modules contained in the White Phosphorus exploit pack. This module works against Windows XP, Vista, and Windows 7 and will bypass any DEP protection in use.

* wp_oracle_java_docbase (CVE-2010-3552) *

Adding to the growing number of clientside modules supported by our pack, we have included an exploit for a recent Java vulnerability.This module is a cross Windows OS universal DEP exploit against the JRE, through the docbase parameter overflow

* wp_realwinserver_scpc_textevent *

Another SCADA exploit module to attack clients through the RealWin SCADA Server SCPC_TEXTEVENT Remote Overflow.


White Phosphorus Exploit Pack Version 1.05

* wp_scadaengine_bacnet_opc_client_csv *

Obviously not the most wide spread software, but our team thinks that anything to do with SCADA is worthwhile. If you find yourself in a position to be testing this type of environment, then having access to reliable SCADA client exploits is always a bonus.

* wp_foxit_XXXXX (0DAY) *

This module was added in version 1.2 of the White Phosphorus exploit pack, and still works against the latest version of Foxit reader when running on Windows XP.


White Phosphorus Exploit Pack Version 1.04

* wp_quicktime_punk (CVE-2010-1818) *

This module exploits the recently released information that Apple had left in a 'feature' allowing the use of user supplied memory locations.

Our exploit works reliably against Windows XP, Windows Vista and Windows 7 and has been tested via Internet Explorer versions 6,7, and 8.

* wp_adobe_sing (CVE-2010-2883) *

This still unpatched vulnerability was found to be actively exploited in the wild. This exploit module allows you to have the same fun within your target environments.
This exploit module does not require Javascript to be enabled within Adobe Reader and does not require write access to any directory.  The module has been confirmed against Adobe Reader 9.1.0, 9.3.0, 9.3.4 running on Windows XP, Windows Vista and Windows 7.

* wp_foxit_cff (CVE-2010-1797) *

Not to be left out, this module exploits the 'iphone jailbreak' CFF vulnerability which also affected Foxit PDF Reader. Delivered via email, HTTP or ClientD itself, this reliable exploit module targets Foxit Reader 3.1, 3.2, 3.3, and 4.0 on Windows XP, Windows Vista and Windows 7.


White Phosphorus Exploit Pack Version 1.03

* wp_oracle_securebackup_exec (CVE-2010-0907) *

Its Oracle, and its Secure so here is a remote SYSTEM level shell for you. This module exploits two vulnerabilities to bypass authentication
and then perform a command injection attack against the PHP web application.

The current module works against Windows hosted systems, with plans to include other supported platforms in the next pack release.

* wp_viclient (0-Day) *

This client side module exploits an issue in an ActiveX control deployed with version 2.5 of VMWare's VIClient.

* wp_sjsws70u7_webdav (CVE-2010-0361) *

Another remote SYSTEM level exploit. This module exploits the server running on Windows 2003 or Windows 2008. This was an interesting bug to make reliable, and luckily enough the server has a watchdog process that we abuse to find the required padding values.


White Phosphorus Exploit Pack Version 1.02

* wp_????_?????? (0Day) *

This module exploits a vulnerability in all recent versions of a popular PDF reader, including the current version. The exploit is delivered through a PDF file, which does not rely on javascript to carry out the exploit.

Unfortunately, due to the heap header encryption that is in place for Vista and later operating systems, this module will only work reliably
on Windows XP systems.

* wp_mysql_list_fields (CVE-2010-1850) *

This module reliably exploits this vulnerability in MySQL to obtain SYSTEM level rights. The connection requires the knowledge of valid credentials, so is particularly useful during penetration tests after the compromise of a web application server.

* wp_novell_zcm_preboot (No CVE) *

Another remote SYSTEM level exploit. This module exploits the preboot service of Novell Zenworks Configuration Manager. Useful for when are already inside a network and want to expand your reach.


White Phosphorus Exploit Pack Version 1.01

* wp_wireshark_lwres (CVE-2010-0304) *

This module exploits a vulnerability in the LWRES Dissector. The White Phosphorus module was designed from the beginning so that the exploit packet
could be sent to a network broadcast address, therefore attacking any active instances of Wireshark in the network segment.

To accomplish this, the White Phosphorus exploit was specially created to work against multiple different Wireshark versions and on any Windows OS  that it encountered, including the ability to bypass ASLR and DEP if applicable.

* wp_aspx_shell *

During a penetration testing assignment against a .net web application, it is often possible to upload a .aspx scripting file to obtain command execution. With this White Phosphorus module, you can now upload a page that will provide you a full MOSDEF node. This can then be used to harness the power of Canvas to discover and exploit further vulnerabilities within the network.

This module doesn't require the ability to write and execute a file, as it uses pointer misdirection through APIS to execute the MOSDEF payload straight from the .aspx page.

* wp_tcpforward *

Ever wished you could channel an RDP session through an exploited server into the network? Ever wanted the ease of using the native SQL manager to access an internal MSSQL database? Well now you can.

The powerful wp_tcpforward module provides both forward and reverse TCP port redirection giving you the ability to proxy connections across multiple
MOSDEF nodes. This means you can use any native client to reach any internal servers through the MOSDEF network.