Public Releases

Sayonara
     Universal ASLR + DEP bypass for Windows [2003/XP/Vista/7] with JRE
mscorie DEP Bypass
     DEP Bypass for IE 8 with .net2.0
Windows XP DEP Bypass
     Universal DEP bypass for Windows XP SP2/SP3
Windows 2003 DEP Bypass
     Universal DEP bypass for Windows 2003 SP1/SP2

Highlighted Modules

Version 1.20

* wp_symantec_pcanywhere_awhost32 (CVE-2011-3478) *

Want remote SYSTEM control of number one best-selling remote control software?
We give it - no auth required! Symantec pcAnywhere 12.5 Remote Code Execution.

* wp_struts2_cmdexec2 (CVE-2011-3923) *
	
As with our previous Struts module this module has been designed for
use in real environments, which are typically firewalled. The payload
options include blind cmd execution, various reverse shell options,
and the ability to upload a web shell and automatically locate and
deploy into the target web root.

* wp_mcafee_saas_showreport *

This module exploits an unpatched remote command execution vulnerability
in McAfee Security-As-A-Service and return a full functional mosdef node.

* wp_3s_codesys_cmpwebserver *

Again we add yet another to White Phosphorus long list of SCADA module.
We exploit a remote overflow vulnerability bypassing DEP on 3S CoDeSys SCADA
CmpWebServer.    

Version 1.19

* wp_ipswitch_whatsupgold_tftp *

This module take a directory traversal vulnerability in Ipswitch WhatsUpGold
TFTP Server and leverage remote code execution. Some would show you files,
WP show you shells!

* wp_microsys_promotic_webdir *

This month we add another to White Phosphorus long list of SCADA module by
exploiting a directory traversal vulnerability in Microsys Promotic SCADA
Webdir.

Version 1.18

* wp_ms11_021 (CVE-2011-0103) *

This module exploits a clientside overflow in Microsoft Office
Excel 2007. It comes with DEP bypassing targets for all available
service packs.

* wp_vandyke_absoluteftp *

This module exploits a clientside vulnerability in an application that
has been developed by the makers of SecureCRT. The vulnerable application
is AbsoluteFTP. We trigger an overflow in the LIST command and bypass
DEP on the vulnerable target.

Version 1.17

* wp_apple_safari_webkit_libxslt (CVE-2011-1776) *

This module exploits a recently patched vulnerability in Apple Safari Webkit
libxslt. It exploits a remote file creation flaw that leads to a
fully functional MOSDEF node.

* wp_wireshark_lua (CVE-2011-3360) *

This module takes advantage of a script execution flaw in Wireshark.
It works across countless versions and is 100% reliable against a
vulnerable target.

* wp_cytel_cytelstudio_logxact_cy3 * 

This module exploits a clientside overflow in Cytel Studio LogXact. This
software is accredited as being the fastest and most powerful logistic
regression analysis software available today. A module for the StatXact
version has also been included as well.

Version 1.16

* wp_apple_quicktime_pnsize (CVE-2011-0257) *

This module exploits an unsigned to signed conversion issue in Apple
Quicktime. It bypasses DEP to allow remote code execution under the context
of the current user.

* wp_measuresoft_scadapro_xf *

This module exploits a remote code execution vulnerability in Measuresoft
ScadaPro with complete reliability. This module is one of two SCADA
releases for this months release of White Phosphorus.

* wp_interactivedata_esignal_quo *

This module exploits a file format clientside overflow in Interactive Data
eSignal. With this module White Phosphorus branches out into the world of
Trading. We also bring other trading module in this release as well.

Version 1.15

* wp_ms10_104 Microsoft SharePoint Server 2007 Remote Code Execution*

This module exploits a pre auth remote code execution vulnerability in
Microsoft Office SharePoint Server 2007. Through interaction with the
document conversion service, this module uploads and executes a MOSDEF
trojan providing access under the SYSTEM user context.

* wp_ca_arcserve_d2d_gwt *

This module exploits an Administrator Credential disclosure vulnerability which
leads to remote code execution on CA ARCserve D2D. The module provides a
MOSDEF node via execution over a SMB share.

* wp_hp_dataprotector_exec_cmd (CVE-2011-0923) *

This module exploits a remote command execution vulnerability in the HP Data
Protector Backup Client OmniInet service, providing command execution under
the SYSTEM user context.

Version 1.14

* wp_advantech_broadwin_webaccess *

This module exploits a vulnerability in an activeX control delivered with 
the Advantech BroadWin WebAccess SCADA/HMI. As per usual this exploit will
bypass DEP on all versions of Windows from XP through to Windows 7.

* wp_bluecoat_bcaaa_bcaaa130 * 

An exploit module for a remote overflow in the Bluecoat Authentication and
Authorization Agent Service. This module successfully targets Windows 2003,
XP, Vista and Windows 7 resulting in a reliable return of a MOSDEF node.

* wp_citrix_provisioningservices_streamprocess *

A nice reliable exploit for the public vulnerability in the Citrix 
Provisioning Services. This vulnerability returns a node running under
the SYSTEM privilege level. 

Version 1.13

* wp_ms11_050_layout_grid (CVE-2011-1256) *

This module exploits a recently patched vulnerability in Microsoft
Internet Explorer. The White Phosphorus module successfully returns a
a Mosdef node from Internet Explorer 7 or 8 on XP, Vista, and Windows 7.

* wp_symantec_ams_hdnlrsvc_createprocess (CVE-2010-0111) * 

Vulnerabilities in the software designed to keep people secure are always
good for enterprise testing. This module results in command execution or 
a mosdef node in Symantec AntiVirus Corporate Edition 10.x before 10.1 MR10
, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5
and 3.6

* wp_ibm_tivoli_endpoint_lcfd *

Remote code execution through a vulnerability in IBM Tivoli Endpoint over
TCP port 9495.

Version 1.12

* wp_hp_dataprotector_stutil *

This module exploits a remote overflow in the HP Data Protector Backup
Client OmniInet Service. The vulnerable service listens on port 5555 so 
is probably only going to be found on an internal network, however it 
does provide you with a SYSTEM level Mosdef node.

Oh and, there is always the irony of owning someone through enterprise
grade backup solution.

* wp_mozilla_firefox_nstreerange (CVE-2011-0073) * 

We are very happy to be able to bring you this module that exploits a
vulnerable in Firefox versions 3.6.0 through to 3.6.16. This module 
bypasses DEP and ALSR on anything from Windows XP through to Windows 7
to reliably provide a Mosdef node back to you.

* wp_vlc_mediaplayer_libmod (CVE-2011-1574) *

This module is the 3rd VLC module to enter the White Phosphorus pack
and exploits a vulnerability in the libmod_plugin on VLC v1.1.8.

Version 1.11

We have been working hard this month on a new ASLR/DEP bypass technique
that works against IE8 and IE9. Looking forward to seeing this put to use
in some modules in the coming months.

In the meantime this pack includes an exploit for RealWin SCADA Server 
On_FC_RFUSER_FCS_LOGIN Remote Overflow and a recent exploit for VLC player.

Version 1.10

* wp_ie_sandbox_escape *

With the recent publicity around escaping the IE protected mode sandbox, we
thought it was time to release a module to provide our customers with the
same ability.

This module takes advantage of a weakness in the interaction of different
components to provide an escalation from Low integrity level to Medium
integrity level. In other words, it escapes the IE8 sandbox.

As this module is independent of any original exploit, it is likely to be
successful as an escape from any sandbox restricting the current process to
the Low integrity level.

* wp_cisco_webex_wrf (CVE-2010-3269) * 

This module exploits the file format overflow in the Cisco WebEX Player that
was disclosed by Core. The exploit creates a single file that will exploit 
the player on all recent windows versions

Version 1.09

* wp_vlc_mediaplayer_mkvdemuxer (CVE-2011-0522) *

This module exploits a vulnerability that exists in multiple different
version of VLC. Considerable effort went into the development of this 
module, to the extent that the generated exploit file will successfully
work on the last 3 recent release versions.

* Multiple Client Side Modules * 

Modules for the following exploits are also included in this pack;
    wp_globalscape_cutezip_zip (CVE-2010-2590)
        - GlobalSCAPE CuteZip v2.1 .zip Clientside Overflow
    wp_ministream_wmdownloader_m3u
        - Mini-Stream WM Downloader .m3u Clientside Overflow
    wp_real_netzip_classic
        - RealNetworks Netzip Classic Clientside Overflow
    wp_virtuosa_phoenix_asx
        - Virtuosa Phoenix Edition .asx Clientside Overflow
    wp_xradio_xrl                 
        - xRadio .xrl Clientside Overflow

Version 1.08

* wp_wireshark_enttec (CVE-2010-4538) *

There's something quite awesome about exploits that can be sent to every 
host via a broadcast address. This module exploits the vulnerability in the
ENTTEC dissector on version 1.4.2 on Windows XP machines and will return a
shell from any machines running the vulnerable version of the sniffer.

Unfortunately it will cause a DOS on anything other OS or version, which 
can be still useful to disable network monitoring.

* wp_winlog_scada_server * 

Another SCADA exploit for those rare times when they come in scope of your
testing. This module reliably exploits Sielco Sistemi Winlog running on most
current windows versions.

Version 1.07

* wp_ie_css_import *

And they thought it was a Dos only. This latest White Phosphorus exploit 
module gives you a reliable shell exploiting this still unpatched IE browser
bug. We've had this in testing for the last few days, and a proud to release
it with targets for bypassing DEP and ASLR against IE 7 and 8 running on 
Windows XP, Windows Vista and Windows 7. Merry Christmas.

* wp_exim4_string_format (CVE-2010-4344) * 

Things just wouldn't be complete without a module that exploits this
bug that has been around for so long. Its not often that a reliable remote
in a exposed service such as this comes along, so just the thing for a
Christmas release.

* wp_foxit_title *

This release also includes another Foxit pdf reader exploit module. This one
targets the previous Foxit version and is reliable on Windows XP, Vista and
Windows 7. And for those targets using Foxit on windows XP, our 0day 
wp_foxit_XXXXX module still successfully exploits the latest version.

Version 1.06

* wp_struts2_cmdexec (CVE-2010-1870) * 

This module has been designed for use in real environments, which are
typically firewalled. The payload options include blind cmd execution,
various reverse shell options, and the ability to upload a web shell
and automatically locate and deploy into the target web root.

* wp_nuance_pdf_reader_launch *

Is any pdf reader safe? This new module complements the numerous other
PDF attack modules contained in the White Phosphorus exploit pack. This
module works against Windows XP, Vista, and Windows 7 and will bypass
any DEP protection in use.

* wp_oracle_java_docbase (CVE-2010-3552) *

Adding to the growing number of clientside modules supported by our 
pack, we have included an exploit for a recent Java vulnerability.
This module is a cross Windows OS universal DEP exploit against the
JRE, through the docbase parameter overflow

* wp_realwinserver_scpc_textevent *

Another SCADA exploit module to attack clients through the RealWin 
SCADA Server SCPC_TEXTEVENT Remote Overflow.

Version 1.05

* wp_scadaengine_bacnet_opc_client_csv * 

Obviously not the most wide spread software, but our team thinks that
anything to do with SCADA is worthwhile. If you find yourself in a 
position to be testing this type of environment, then having access to
reliable SCADA client exploits is always a bonus.

* wp_foxit_XXXXX (0DAY) *

This module was added in version 1.2 of the White Phosphorus exploit
pack, and still works against the latest version of Foxit reader when
running on Windows XP.

Version 1.04

* wp_quicktime_punk (CVE-2010-1818) * 

This module exploits the recently released information that Apple had
left in a 'feature' allowing the use of user supplied memory locations.

Our exploit works reliably against Windows XP, Windows Vista and 
Windows 7 and has been tested via Internet Explorer versions 6,7, and 8.

* wp_adobe_sing (CVE-2010-2883) *

This still unpatched vulnerability was found to be actively exploited
in the wild. This exploit module allows you to have the same fun within
your target environments.
 
This exploit module does not require Javascript to be enabled within 
Adobe Reader and does not require write access to any directory.  The 
module has been confirmed against Adobe Reader 9.1.0, 9.3.0, 9.3.4 
running on Windows XP, Windows Vista and Windows 7.

* wp_foxit_cff (CVE-2010-1797) *

Not to be left out, this module exploits the 'iphone jailbreak' CFF
vulnerability which also affected Foxit PDF Reader. Delivered via
email, HTTP or ClientD itself, this reliable exploit module targets
Foxit Reader 3.1, 3.2, 3.3, and 4.0 on Windows XP, Windows Vista and
Windows 7.

Version 1.03

* wp_oracle_securebackup_exec (CVE-2010-0907) * 

Its Oracle, and its Secure so here is a remote SYSTEM level shell for
you. This module exploits two vulnerabilities to bypass authentication
and then perform a command injection attack against the PHP web 
application.

The current module works against Windows hosted systems, with plans to
include other supported platforms in the next pack release.

* wp_viclient (0-Day) *

This client side module exploits an issue in an ActiveX control 
deployed with version 2.5 of VMWare's VIClient. 

* wp_sjsws70u7_webdav (CVE-2010-0361) *

Another remote SYSTEM level exploit. This module exploits the server
running on Windows 2003 or Windows 2008. This was an interesting bug
to make reliable, and luckily enough the server has a watchdog process
that we abuse to find the required padding values.

Version 1.02

* wp_????_?????? (0Day) * 

This module exploits a vulnerability in all recent versions of a popular
PDF reader, including the current version. The exploit is delivered through
a PDF file, which does not rely on javascript to carry out the exploit.

Unfortunately, due to the heap header encryption that is in place for
Vista and later operating systems, this module will only work reliably
on Windows XP systems.

* wp_mysql_list_fields (CVE-2010-1850) *

This module reliably exploits this vulnerability in MySQL to obtain
SYSTEM level rights. The connection requires the knowledge of valid
credentials, so is particularly useful during penetration tests after
the compromise of a web application server.

* wp_novell_zcm_preboot (No CVE) *

Another remote SYSTEM level exploit. This module exploits the preboot
service of Novell Zenworks Configuration Manager. Useful for when are
already inside a network and want to expand your reach.

Version 1.01

* wp_wireshark_lwres (CVE-2010-0304) * 

This module exploits a vulnerability in the LWRES Dissector. The White
Phosphorus module was designed from the beginning so that the exploit packet
could be sent to a network broadcast address, therefore attacking any active
instances of Wireshark in the network segment.

To accomplish this, the White Phosphorus exploit was specially created to
work against multiple different Wireshark versions and on any Windows OS 
that it encountered, including the ability to bypass ASLR and DEP if 
applicable.

* wp_aspx_shell * 

During a penetration testing assignment against a .net web application, it
is often possible to upload a .aspx scripting file to obtain command
execution. With this White Phosphorus module, you can now upload a page
that will provide you a full MOSDEF node. This can then be used to harness
the power of Canvas to discover and exploit further vulnerabilities within
the network.

This module doesn't require the ability to write and execute a file, as it
uses pointer misdirection through APIS to execute the MOSDEF payload
straight from the .aspx page.

* wp_tcpforward *

Ever wished you could channel an RDP session through an exploited server
into the network? Ever wanted the ease of using the native SQL manager to
access an internal MSSQL database? Well now you can.

The powerful wp_tcpforward module provides both forward and reverse TCP port
redirection giving you the ability to proxy connections across multiple
MOSDEF nodes. This means you can use any native client to reach any internal
servers through the MOSDEF network.